Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack


  • This topic is locked This topic is locked
18 replies to this topic

#1 CT3

CT3

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 09 June 2012 - 08:41 PM

Issue began with ads popping up during browsing sessions. Ilivid ad being one prominent pop-up ad seen frequently. Then began getting Windows style dialog box messages stating there were various issues with my HDD. Scans with AVIRA Free Edition and Malwarebytes found TR/Strictor.443.2, TR/Crypt.Zpack.GEN 8, EXP/11-3544.FN.1 and EXP/SWF.CK. These appear to have been removed as subsequent scans by the applications referenced have produced no further detections as recently as last evening. However, the ads remain and are active as are the redirects as well. Submitted a help request to your forum for this and went through the steps as directed. It was determined that my "Hosts" file was hijacked. Please advise. Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 10 June 2012 - 12:33 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 10 June 2012 - 07:15 PM

Results of screen317's Security Check version 0.99.41
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Spybot - Search & Destroy
Secunia PSI
Malwarebytes Anti-Malware version 1.60.1.1000
HijackThis 2.0.2
CCleaner
Java™ 6 Update 20
Java version out of date!
Adobe Flash Player 10 Flash Player out of date!
Adobe Reader 9 Adobe Reader out of date!
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 7%
````````````````````End of Log``````````````````````


Combo Fix Log:
ComboFix 12-06-10.01 - Curt Thompson 06/10/2012 19:40:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1435 [GMT -4:00]
Running from: c:\documents and settings\Curt Thompson\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rita Thompson\g2mdlhlpx.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DXP061 .MRK
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SET6F.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET71.tmp
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-10 to 2012-06-10 )))))))))))))))))))))))))))))))
.
.
2012-06-04 02:59 . 2012-06-04 02:59 -------- d-----w- c:\program files\Dropbox
2012-05-15 00:53 . 2012-05-15 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-05-15 00:53 . 2012-05-15 00:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-05-14 00:48 . 2012-05-14 00:48 -------- d-----w- c:\documents and settings\Rita Thompson\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 19:19 . 2007-07-31 00:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2007-12-11 03:35 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2007-12-11 03:35 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-12-11 03:35 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2007-07-31 00:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-06-08 18:28 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2007-12-11 03:35 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2007-07-31 00:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2007-07-31 00:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2004-08-04 10:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-07-31 00:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2007-12-11 03:35 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-06-08 18:28 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2009-06-13 11:57 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2009-06-13 11:57 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2008-10-16 18:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-08 18:41 . 2012-03-13 02:12 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-08 18:41 . 2012-03-13 02:12 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-04-11 13:14 . 2005-03-30 01:21 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-04 10:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2005-03-30 01:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2008-12-24 02:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Curt Thompson\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Curt Thompson\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Curt Thompson\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Curt Thompson\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-14 196608]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2009-03-08 147456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2008-05-07 2037088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" [2010-05-13 110192]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-06-30 121456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\documents and settings\Rita Jane Thompson\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [N/A]
.
c:\documents and settings\Curt Thompson\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Curt Thompson\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-6-24 803176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Documents and Settings\\Curt Thompson\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [3/12/2012 10:12 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/12/2012 10:12 PM 86224]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2/13/2007 7:57 PM 3425632]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/5/2011 11:18 AM 2214504]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [6/29/2011 10:12 PM 109168]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [7/8/2011 9:27 PM 1714176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 8:53 AM 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 8:53 AM 133104]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [2/12/2012 2:17 PM 1034240]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 8:20 AM 12648]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-19 12:52]
.
2012-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-19 12:52]
.
2012-06-10 c:\windows\Tasks\User_Feed_Synchronization-{1E6CEC75-9DAD-444D-BFEA-FB0811FAACFD}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
2012-06-10 c:\windows\Tasks\User_Feed_Synchronization-{B305307A-3158-4119-9DBD-9B55DF3FB7E3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.10.209
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-10 19:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-06-10 19:46:21
ComboFix-quarantined-files.txt 2012-06-10 23:46
.
Pre-Run: 213,851,557,888 bytes free
Post-Run: 214,482,722,816 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 889C957A3EF108B3C9657E7051290CEB


After ComboFix computer appears to be running normally. No redirects were experienced and no ads are popping up. This looks like a go. Please advise on any additional steps to take. Thanks.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 10 June 2012 - 09:51 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 11 June 2012 - 10:43 PM

Spoke to soon about my computer appearing to be running well. Had a redirect and another ad again this evening. TDSS Log is included. The aswMBR tool ran for a long time but did not finish its scan due to a windows error message. So there is no log from that tool here now. Please advise.

21:55:19.0562 3832 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
21:55:19.0859 3832 ============================================================
21:55:19.0859 3832 Current date / time: 2012/06/11 21:55:19.0859
21:55:19.0859 3832 SystemInfo:
21:55:19.0859 3832
21:55:19.0859 3832 OS Version: 5.1.2600 ServicePack: 3.0
21:55:19.0859 3832 Product type: Workstation
21:55:19.0859 3832 ComputerName: CURT-8CB43AC215
21:55:19.0859 3832 UserName: Curt Thompson
21:55:19.0859 3832 Windows directory: C:\WINDOWS
21:55:19.0859 3832 System windows directory: C:\WINDOWS
21:55:19.0859 3832 Processor architecture: Intel x86
21:55:19.0859 3832 Number of processors: 2
21:55:19.0859 3832 Page size: 0x1000
21:55:19.0859 3832 Boot type: Normal boot
21:55:19.0859 3832 ============================================================
21:55:23.0156 3832 !crdlk
21:55:23.0156 3832 Drive \Device\Harddisk0\DR0 - Size: 0x3A35000000 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76B9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
21:55:23.0187 3832 ============================================================
21:55:23.0187 3832 \Device\Harddisk0\DR0:
21:55:23.0203 3832 MBR partitions:
21:55:23.0203 3832 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1A1079
21:55:23.0203 3832 ============================================================
21:55:23.0359 3832 C: <-> \Device\Harddisk0\DR0\Partition0
21:55:23.0390 3832 ============================================================
21:55:23.0390 3832 Initialize success
21:55:23.0390 3832 ============================================================
21:55:27.0828 3824 ============================================================
21:55:27.0828 3824 Scan started
21:55:27.0828 3824 Mode: Manual;
21:55:27.0828 3824 ============================================================
21:55:28.0265 3824 aawservice - ok
21:55:29.0125 3824 Abiosdsk - ok
21:55:29.0125 3824 abp480n5 - ok
21:55:29.0437 3824 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:55:29.0437 3824 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: 8fd99680a539792a30e97944fdaecf17, Fake md5: 25a0e4c6de3d09685fbb763fae90847b
21:55:29.0437 3824 ACPI ( ForgedFile.Multi.Generic ) - warning
21:55:29.0437 3824 ACPI - detected ForgedFile.Multi.Generic (1)
21:55:29.0546 3824 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:55:29.0546 3824 ACPIEC - ok
21:55:29.0546 3824 adpu160m - ok
21:55:29.0625 3824 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:55:29.0687 3824 aec - ok
21:55:30.0109 3824 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:55:30.0109 3824 AFD - ok
21:55:30.0109 3824 Aha154x - ok
21:55:30.0109 3824 aic78u2 - ok
21:55:30.0109 3824 aic78xx - ok
21:55:30.0218 3824 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
21:55:30.0312 3824 Alerter - ok
21:55:30.0468 3824 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
21:55:30.0468 3824 ALG - ok
21:55:30.0468 3824 AliIde - ok
21:55:30.0468 3824 amsint - ok
21:55:30.0968 3824 AntiVirSchedulerService (0a1cc583e8147004e4ad4625d7fbf88c) C:\Program Files\Avira\AntiVir Desktop\sched.exe
21:55:30.0968 3824 AntiVirSchedulerService - ok
21:55:31.0312 3824 AntiVirService (c9a36ef935aced86aedf93e97e606911) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
21:55:31.0312 3824 AntiVirService - ok
21:55:31.0687 3824 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
21:55:31.0703 3824 Apple Mobile Device - ok
21:55:32.0109 3824 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
21:55:32.0312 3824 AppMgmt - ok
21:55:38.0625 3824 AR9271 (8e2257584b2c52d44b4cb1949947d885) C:\WINDOWS\system32\DRIVERS\athuw.sys
21:55:39.0750 3824 AR9271 - ok
21:55:41.0546 3824 asc - ok
21:55:41.0546 3824 asc3350p - ok
21:55:41.0546 3824 asc3550 - ok
21:55:41.0765 3824 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
21:55:42.0125 3824 aspnet_state - ok
21:55:42.0218 3824 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:55:42.0218 3824 AsyncMac - ok
21:55:42.0250 3824 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:55:42.0265 3824 atapi - ok
21:55:42.0265 3824 Atdisk - ok
21:55:42.0312 3824 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:55:42.0312 3824 Atmarpc - ok
21:55:42.0453 3824 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
21:55:42.0468 3824 AudioSrv - ok
21:55:42.0515 3824 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:55:42.0515 3824 audstub - ok
21:55:43.0312 3824 Automatic LiveUpdate Scheduler (018fe8992fe4d70b69ae866ea0d83f0d) C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
21:55:43.0312 3824 Automatic LiveUpdate Scheduler - ok
21:55:43.0593 3824 avgntflt (d5541f0afb767e85fc412fc609d96a74) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
21:55:43.0593 3824 avgntflt - ok
21:55:44.0031 3824 avipbb (7d967a682d4694df7fa57d63a2db01fe) C:\WINDOWS\system32\DRIVERS\avipbb.sys
21:55:44.0046 3824 avipbb - ok
21:55:44.0187 3824 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
21:55:44.0187 3824 avkmgr - ok
21:55:44.0750 3824 BBSvc (2ed050291bc1d7f9e322e328db3aaecf) C:\Program Files\Microsoft\BingBar\BBSvc.EXE
21:55:44.0906 3824 BBSvc - ok
21:55:45.0593 3824 BBUpdate (785de7abda13309d6065305542829e76) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
21:55:45.0593 3824 BBUpdate - ok
21:55:45.0687 3824 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:55:45.0687 3824 Beep - ok
21:55:46.0906 3824 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
21:55:47.0515 3824 BITS - ok
21:55:48.0390 3824 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
21:55:48.0390 3824 Bonjour Service - ok
21:55:48.0640 3824 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
21:55:48.0703 3824 Browser - ok
21:55:48.0921 3824 catchme - ok
21:55:49.0015 3824 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:55:49.0031 3824 cbidf2k - ok
21:55:49.0031 3824 cd20xrnt - ok
21:55:49.0203 3824 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:55:49.0234 3824 Cdaudio - ok
21:55:49.0437 3824 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:55:49.0500 3824 Cdfs - ok
21:55:49.0703 3824 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:55:49.0765 3824 Cdrom - ok
21:55:49.0968 3824 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
21:55:50.0015 3824 cercsr6 - ok
21:55:50.0015 3824 Changer - ok
21:55:50.0046 3824 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
21:55:50.0062 3824 CiSvc - ok
21:55:50.0203 3824 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
21:55:50.0312 3824 ClipSrv - ok
21:55:50.0968 3824 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:55:51.0468 3824 clr_optimization_v2.0.50727_32 - ok
21:55:51.0468 3824 CmdIde - ok
21:55:51.0468 3824 COMSysApp - ok
21:55:51.0484 3824 Cpqarray - ok
21:55:51.0640 3824 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
21:55:51.0656 3824 cpudrv - ok
21:55:51.0890 3824 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
21:55:51.0890 3824 CryptSvc - ok
21:55:51.0890 3824 dac2w2k - ok
21:55:51.0906 3824 dac960nt - ok
21:55:52.0703 3824 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
21:55:52.0718 3824 DcomLaunch - ok
21:55:52.0812 3824 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
21:55:52.0828 3824 Dhcp - ok
21:55:52.0921 3824 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:55:52.0921 3824 Disk - ok
21:55:52.0984 3824 DLABOIOM (d8d58a84f3ece3359df95fd2e459b330) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
21:55:52.0984 3824 DLABOIOM - ok
21:55:53.0062 3824 DLACDBHM (ec6ae8bc9f773382d2eed49e4dfdae2a) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
21:55:53.0062 3824 DLACDBHM - ok
21:55:53.0078 3824 DLADResN (27c78078bd9c4f2de2ad3eb04bfe101b) C:\WINDOWS\system32\DLA\DLADResN.SYS
21:55:53.0109 3824 DLADResN - ok
21:55:53.0265 3824 DLAIFS_M (7f2d93e560b763ef5d11422d78da8ed0) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
21:55:53.0312 3824 DLAIFS_M - ok
21:55:53.0375 3824 DLAOPIOM (f643637de6aac57e38d197aa63d9ea74) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
21:55:53.0375 3824 DLAOPIOM - ok
21:55:53.0406 3824 DLAPoolM (340705474807f57a46d59d18fc2959f1) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
21:55:53.0421 3824 DLAPoolM - ok
21:55:53.0500 3824 DLARTL_N (0605b66052f82b6f07204dbdb61c13ff) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
21:55:53.0500 3824 DLARTL_N - ok
21:55:53.0578 3824 DLAUDFAM (6984ea763907c045ce813468882bc587) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
21:55:53.0671 3824 DLAUDFAM - ok
21:55:53.0671 3824 DLAUDF_M (12b30c449cfd36adbed53eb6560933c6) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
21:55:53.0671 3824 DLAUDF_M - ok
21:55:53.0687 3824 dmadmin - ok
21:55:54.0531 3824 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:55:55.0031 3824 dmboot - ok
21:55:55.0140 3824 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
21:55:55.0156 3824 dmio - ok
21:55:55.0171 3824 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:55:55.0187 3824 dmload - ok
21:55:55.0234 3824 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
21:55:55.0234 3824 dmserver - ok
21:55:55.0406 3824 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:55:55.0453 3824 DMusic - ok
21:55:55.0593 3824 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
21:55:55.0593 3824 Dnscache - ok
21:55:56.0046 3824 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
21:55:56.0218 3824 Dot3svc - ok
21:55:56.0234 3824 dpti2o - ok
21:55:56.0250 3824 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:55:56.0250 3824 drmkaud - ok
21:55:56.0562 3824 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
21:55:56.0562 3824 DRVMCDB - ok
21:55:56.0578 3824 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
21:55:56.0593 3824 DRVNDDM - ok
21:55:56.0921 3824 DSBrokerService (245f62a2aa67f4a61f10174bf1017327) C:\Program Files\DellSupport\brkrsvc.exe
21:55:56.0921 3824 DSBrokerService - ok
21:55:57.0093 3824 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
21:55:57.0093 3824 DSproct - ok
21:55:57.0109 3824 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
21:55:57.0125 3824 dsunidrv - ok
21:55:57.0625 3824 DTSRVC (0cedf29cfa2e1209456d98c2ee4ae6f5) C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
21:55:57.0625 3824 DTSRVC - ok
21:55:57.0906 3824 e1express (c31a349d80ab6e8e9a54d3899c864823) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
21:55:57.0921 3824 e1express - ok
21:55:58.0031 3824 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
21:55:58.0046 3824 EapHost - ok
21:55:58.0078 3824 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
21:55:58.0093 3824 ERSvc - ok
21:55:58.0437 3824 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
21:55:58.0437 3824 Eventlog - ok
21:55:58.0890 3824 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
21:55:58.0921 3824 EventSystem - ok
21:55:59.0015 3824 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:55:59.0031 3824 Fastfat - ok
21:55:59.0171 3824 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:55:59.0187 3824 FastUserSwitchingCompatibility - ok
21:55:59.0203 3824 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:55:59.0203 3824 Fdc - ok
21:55:59.0343 3824 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:55:59.0359 3824 Fips - ok
21:55:59.0468 3824 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:55:59.0484 3824 Flpydisk - ok
21:55:59.0843 3824 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:55:59.0906 3824 FltMgr - ok
21:56:00.0250 3824 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:56:00.0359 3824 FontCache3.0.0.0 - ok
21:56:00.0453 3824 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:56:00.0453 3824 Fs_Rec - ok
21:56:00.0546 3824 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:56:00.0562 3824 Ftdisk - ok
21:56:00.0671 3824 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:56:00.0687 3824 GEARAspiWDM - ok
21:56:00.0828 3824 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:56:00.0875 3824 Gpc - ok
21:56:01.0546 3824 gupdate (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
21:56:01.0562 3824 gupdate - ok
21:56:01.0562 3824 gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
21:56:01.0562 3824 gupdatem - ok
21:56:01.0609 3824 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:56:01.0609 3824 HDAudBus - ok
21:56:01.0843 3824 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:56:01.0859 3824 helpsvc - ok
21:56:01.0953 3824 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
21:56:01.0953 3824 HidServ - ok
21:56:01.0984 3824 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:56:01.0984 3824 hidusb - ok
21:56:02.0296 3824 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
21:56:02.0312 3824 hkmsvc - ok
21:56:02.0312 3824 hpn - ok
21:56:02.0390 3824 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
21:56:02.0406 3824 HSFHWBS2 - ok
21:56:04.0687 3824 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
21:56:05.0546 3824 HSF_DP - ok
21:56:06.0859 3824 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:56:06.0859 3824 HTTP - ok
21:56:06.0953 3824 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
21:56:06.0968 3824 HTTPFilter - ok
21:56:06.0968 3824 i2omgmt - ok
21:56:06.0968 3824 i2omp - ok
21:56:07.0203 3824 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
21:56:07.0234 3824 i8042prt - ok
21:56:08.0078 3824 IAANTMON (ae38a12f79a4980ddb88f36514f8a1da) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
21:56:08.0078 3824 IAANTMON - ok
21:56:08.0687 3824 iastor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\iaStor.sys
21:56:08.0687 3824 iastor - ok
21:56:09.0140 3824 IDriverT (daf66902f08796f9c694901660e5a64a) C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
21:56:09.0171 3824 IDriverT - ok
21:56:09.0656 3824 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:56:10.0781 3824 idsvc - ok
21:56:10.0953 3824 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:56:10.0968 3824 Imapi - ok
21:56:11.0375 3824 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
21:56:11.0375 3824 ImapiService - ok
21:56:11.0375 3824 ini910u - ok
21:56:11.0390 3824 IntelIde - ok
21:56:11.0515 3824 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:56:11.0546 3824 intelppm - ok
21:56:11.0656 3824 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:56:11.0671 3824 Ip6Fw - ok
21:56:11.0750 3824 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:56:11.0765 3824 IpFilterDriver - ok
21:56:11.0843 3824 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:56:11.0843 3824 IpInIp - ok
21:56:12.0250 3824 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:56:12.0250 3824 IpNat - ok
21:56:13.0593 3824 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
21:56:13.0593 3824 iPod Service - ok
21:56:13.0671 3824 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:56:13.0765 3824 IPSec - ok
21:56:13.0828 3824 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:56:13.0828 3824 IRENUM - ok
21:56:13.0859 3824 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:56:13.0875 3824 isapnp - ok
21:56:14.0546 3824 JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe
21:56:14.0546 3824 JavaQuickStarterService - ok
21:56:14.0625 3824 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:56:14.0625 3824 Kbdclass - ok
21:56:14.0734 3824 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:56:14.0750 3824 kbdhid - ok
21:56:14.0953 3824 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:56:15.0109 3824 kmixer - ok
21:56:15.0390 3824 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:56:15.0390 3824 KSecDD - ok
21:56:15.0640 3824 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
21:56:15.0640 3824 lanmanserver - ok
21:56:16.0078 3824 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
21:56:16.0078 3824 lanmanworkstation - ok
21:56:16.0078 3824 lbrtfdc - ok
21:56:18.0328 3824 Linksys_adapter_H (bcdf72dce41874b3ad9143d537b493b2) C:\WINDOWS\system32\DRIVERS\AE2500xp.sys
21:56:19.0203 3824 Linksys_adapter_H - ok
21:56:22.0187 3824 LiveUpdate (3c7fcbbc35e0a52ce9b12e9cc4f5b991) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
21:56:22.0203 3824 LiveUpdate - ok
21:56:22.0968 3824 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
21:56:22.0968 3824 LmHosts - ok
21:56:23.0984 3824 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
21:56:24.0000 3824 MDM - ok
21:56:24.0125 3824 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:56:24.0125 3824 mdmxsdk - ok
21:56:24.0234 3824 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
21:56:24.0265 3824 Messenger - ok
21:56:24.0859 3824 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
21:56:24.0890 3824 Microsoft Office Groove Audit Service - ok
21:56:24.0937 3824 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:56:24.0937 3824 mnmdd - ok
21:56:25.0078 3824 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
21:56:25.0093 3824 mnmsrvc - ok
21:56:25.0140 3824 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:56:25.0140 3824 Modem - ok
21:56:25.0234 3824 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
21:56:25.0234 3824 MODEMCSA - ok
21:56:25.0328 3824 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:56:25.0328 3824 Mouclass - ok
21:56:25.0406 3824 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:56:25.0406 3824 mouhid - ok
21:56:25.0578 3824 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:56:25.0609 3824 MountMgr - ok
21:56:25.0609 3824 mraid35x - ok
21:56:25.0656 3824 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:56:25.0750 3824 MRxDAV - ok
21:56:26.0312 3824 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:56:26.0312 3824 MRxSmb - ok
21:56:26.0375 3824 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
21:56:26.0390 3824 MSDTC - ok
21:56:26.0453 3824 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:56:26.0468 3824 Msfs - ok
21:56:26.0468 3824 MSIServer - ok
21:56:26.0531 3824 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:56:26.0531 3824 MSKSSRV - ok
21:56:26.0578 3824 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:56:26.0578 3824 MSPCLOCK - ok
21:56:26.0625 3824 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:56:26.0640 3824 MSPQM - ok
21:56:26.0734 3824 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:56:26.0734 3824 mssmbios - ok
21:56:27.0046 3824 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:56:27.0046 3824 Mup - ok
21:56:27.0656 3824 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
21:56:27.0671 3824 napagent - ok
21:56:27.0890 3824 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:56:27.0906 3824 NDIS - ok
21:56:27.0953 3824 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:56:27.0953 3824 NdisTapi - ok
21:56:28.0015 3824 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:56:28.0015 3824 Ndisuio - ok
21:56:28.0015 3824 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:56:28.0031 3824 NdisWan - ok
21:56:28.0078 3824 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:56:28.0078 3824 NDProxy - ok
21:56:28.0203 3824 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:56:28.0250 3824 NetBIOS - ok
21:56:28.0750 3824 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:56:28.0765 3824 NetBT - ok
21:56:29.0062 3824 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:56:29.0093 3824 NetDDE - ok
21:56:29.0093 3824 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:56:29.0093 3824 NetDDEdsdm - ok
21:56:29.0140 3824 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:56:29.0140 3824 Netlogon - ok
21:56:29.0671 3824 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
21:56:29.0718 3824 Netman - ok
21:56:30.0578 3824 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:56:30.0593 3824 NetTcpPortSharing - ok
21:56:30.0671 3824 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
21:56:30.0671 3824 Nla - ok
21:56:35.0515 3824 Norton Save and Restore (16ff61a74a8de710a67f3be100ce38f3) C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
21:56:35.0531 3824 Norton Save and Restore - ok
21:56:36.0859 3824 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:56:36.0875 3824 Npfs - ok
21:56:37.0671 3824 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:56:37.0703 3824 Ntfs - ok
21:56:37.0765 3824 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:56:37.0765 3824 NtLmSsp - ok
21:56:38.0078 3824 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
21:56:38.0109 3824 NtmsSvc - ok
21:56:38.0140 3824 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:56:38.0156 3824 Null - ok
21:56:50.0640 3824 nv (8b2c874897ea498da012284e12f9db2b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:56:56.0296 3824 nv - ok
21:56:58.0265 3824 NVSvc (32f7dec3729b3bae66eebcab7b03b18f) C:\WINDOWS\system32\nvsvc32.exe
21:56:58.0265 3824 NVSvc - ok
21:57:01.0500 3824 nvUpdatusService (2cc4e45b0eb4c48392cec9c83b5b8e3b) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
21:57:02.0296 3824 nvUpdatusService - ok
21:57:03.0593 3824 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:57:03.0593 3824 NwlnkFlt - ok
21:57:03.0640 3824 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:57:03.0656 3824 NwlnkFwd - ok
21:57:04.0671 3824 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:57:04.0703 3824 odserv - ok
21:57:05.0093 3824 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:57:05.0093 3824 ose - ok
21:57:05.0109 3824 PalmUSBD - ok
21:57:05.0375 3824 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:57:05.0406 3824 Parport - ok
21:57:05.0437 3824 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:57:05.0453 3824 PartMgr - ok
21:57:05.0546 3824 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:57:05.0546 3824 ParVdm - ok
21:57:05.0671 3824 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:57:05.0703 3824 PCI - ok
21:57:05.0703 3824 PCIDump - ok
21:57:05.0734 3824 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:57:05.0765 3824 PCIIde - ok
21:57:06.0046 3824 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:57:06.0078 3824 Pcmcia - ok
21:57:06.0078 3824 PDCOMP - ok
21:57:06.0078 3824 PDFRAME - ok
21:57:06.0140 3824 PdiPorts (089ca80ce0766b031164714b51df99bb) C:\WINDOWS\system32\Drivers\PdiPorts.sys
21:57:06.0140 3824 PdiPorts - ok
21:57:06.0625 3824 PdiService (0a098df98ec8facaa30bd7db4c7aea06) C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
21:57:06.0625 3824 PdiService - ok
21:57:06.0625 3824 PDRELI - ok
21:57:06.0625 3824 PDRFRAME - ok
21:57:06.0625 3824 perc2 - ok
21:57:06.0640 3824 perc2hib - ok
21:57:06.0734 3824 Pivot (ec4f52692b5cf116ca6b0428d84a9aba) C:\WINDOWS\system32\drivers\pivot.sys
21:57:06.0750 3824 Pivot - ok
21:57:06.0781 3824 pivotmou (7d72ac1abda06ff42fd57345d0d75523) C:\WINDOWS\System32\drivers\pivotmou.sys
21:57:06.0781 3824 pivotmou - ok
21:57:06.0843 3824 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
21:57:06.0859 3824 PlugPlay - ok
21:57:06.0875 3824 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:57:06.0875 3824 PolicyAgent - ok
21:57:07.0062 3824 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:57:07.0093 3824 PptpMiniport - ok
21:57:07.0093 3824 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:57:07.0093 3824 ProtectedStorage - ok
21:57:07.0125 3824 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:57:07.0187 3824 PSched - ok
21:57:07.0296 3824 PSI (365622e1f0b6d5f9871d76e89bf0501a) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
21:57:07.0328 3824 PSI - ok
21:57:07.0375 3824 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:57:07.0390 3824 Ptilink - ok
21:57:07.0390 3824 ql1080 - ok
21:57:07.0390 3824 Ql10wnt - ok
21:57:07.0390 3824 ql12160 - ok
21:57:07.0406 3824 ql1240 - ok
21:57:07.0406 3824 ql1280 - ok
21:57:07.0437 3824 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:57:07.0453 3824 RasAcd - ok
21:57:07.0718 3824 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
21:57:07.0750 3824 RasAuto - ok
21:57:07.0781 3824 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:57:07.0796 3824 Rasl2tp - ok
21:57:08.0312 3824 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
21:57:08.0328 3824 RasMan - ok
21:57:08.0343 3824 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:57:08.0359 3824 RasPppoe - ok
21:57:08.0406 3824 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:57:08.0421 3824 Raspti - ok
21:57:08.0656 3824 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:57:08.0671 3824 Rdbss - ok
21:57:08.0703 3824 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:57:08.0718 3824 RDPCDD - ok
21:57:09.0265 3824 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:57:09.0281 3824 rdpdr - ok
21:57:09.0625 3824 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
21:57:09.0625 3824 RDPWD - ok
21:57:10.0078 3824 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
21:57:10.0078 3824 RDSessMgr - ok
21:57:10.0140 3824 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:57:10.0156 3824 redbook - ok
21:57:10.0203 3824 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
21:57:10.0218 3824 RemoteAccess - ok
21:57:10.0281 3824 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
21:57:10.0281 3824 RemoteRegistry - ok
21:57:10.0281 3824 RimUsb - ok
21:57:10.0390 3824 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
21:57:10.0390 3824 RpcLocator - ok
21:57:10.0718 3824 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
21:57:10.0718 3824 RpcSs - ok
21:57:11.0109 3824 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
21:57:11.0140 3824 RSVP - ok
21:57:11.0218 3824 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:57:11.0218 3824 SamSs - ok
21:57:11.0484 3824 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
21:57:11.0484 3824 SCardSvr - ok
21:57:12.0046 3824 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
21:57:12.0046 3824 Schedule - ok
21:57:12.0625 3824 ScsiAccess (54196cdac7e1d81d71c652e100b99e77) C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
21:57:12.0625 3824 ScsiAccess - ok
21:57:12.0750 3824 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:57:12.0781 3824 Secdrv - ok
21:57:12.0875 3824 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
21:57:12.0890 3824 seclogon - ok
21:57:13.0046 3824 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
21:57:13.0046 3824 SENS - ok
21:57:13.0281 3824 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:57:13.0281 3824 Serial - ok
21:57:13.0437 3824 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
21:57:13.0453 3824 sfdrv01 - ok
21:57:13.0484 3824 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
21:57:13.0484 3824 sfhlp02 - ok
21:57:13.0546 3824 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:57:13.0546 3824 Sfloppy - ok
21:57:13.0593 3824 sfsync02 (efebbc1d13fdb77a6af4eddfc7232edf) C:\WINDOWS\system32\drivers\sfsync02.sys
21:57:13.0593 3824 sfsync02 - ok
21:57:13.0781 3824 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
21:57:13.0796 3824 SharedAccess - ok
21:57:14.0234 3824 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:57:14.0234 3824 ShellHWDetection - ok
21:57:14.0234 3824 Simbad - ok
21:57:14.0265 3824 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
21:57:14.0296 3824 SONYPVU1 - ok
21:57:14.0296 3824 Sparrow - ok
21:57:14.0328 3824 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:57:14.0343 3824 splitter - ok
21:57:14.0578 3824 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
21:57:14.0578 3824 Spooler - ok
21:57:15.0218 3824 sprtsvc_DellSupportCenter (777115c9cc675bd98127660712d2f784) C:\Program Files\Dell Support Center\bin\sprtsvc.exe
21:57:15.0218 3824 sprtsvc_DellSupportCenter - ok
21:57:15.0453 3824 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:57:15.0484 3824 sr - ok
21:57:15.0984 3824 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
21:57:16.0015 3824 srservice - ok
21:57:16.0984 3824 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:57:16.0984 3824 Srv - ok
21:57:17.0203 3824 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
21:57:17.0203 3824 SSDPSRV - ok
21:57:17.0250 3824 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
21:57:17.0250 3824 ssmdrv - ok
21:57:18.0281 3824 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
21:57:18.0296 3824 STHDA - ok
21:57:18.0531 3824 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
21:57:18.0546 3824 stisvc - ok
21:57:18.0734 3824 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:57:18.0734 3824 swenum - ok
21:57:18.0781 3824 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:57:18.0796 3824 swmidi - ok
21:57:18.0796 3824 SwPrv - ok
21:57:18.0796 3824 symc810 - ok
21:57:18.0812 3824 symc8xx - ok
21:57:19.0218 3824 symsnap (66918794b1701990be8510565fbd4bc4) C:\WINDOWS\system32\DRIVERS\symsnap.sys
21:57:19.0234 3824 symsnap - ok
21:57:19.0234 3824 sym_hi - ok
21:57:19.0234 3824 sym_u3 - ok
21:57:19.0453 3824 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:57:19.0453 3824 sysaudio - ok
21:57:19.0515 3824 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
21:57:19.0531 3824 SysmonLog - ok
21:57:19.0734 3824 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
21:57:19.0750 3824 TapiSrv - ok
21:57:20.0750 3824 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:57:20.0765 3824 Tcpip - ok
21:57:20.0812 3824 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:57:20.0812 3824 TDPIPE - ok
21:57:20.0890 3824 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:57:20.0906 3824 TDTCP - ok
21:57:21.0062 3824 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:57:21.0062 3824 TermDD - ok
21:57:21.0921 3824 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
21:57:21.0937 3824 TermService - ok
21:57:22.0218 3824 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:57:22.0218 3824 Themes - ok
21:57:22.0468 3824 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
21:57:22.0468 3824 TlntSvr - ok
21:57:22.0468 3824 TosIde - ok
21:57:22.0718 3824 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
21:57:22.0734 3824 TrkWks - ok
21:57:22.0734 3824 TSP - ok
21:57:22.0781 3824 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:57:22.0796 3824 Udfs - ok
21:57:22.0796 3824 ultra - ok
21:57:23.0437 3824 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:57:23.0453 3824 Update - ok
21:57:24.0359 3824 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
21:57:24.0390 3824 upnphost - ok
21:57:24.0421 3824 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
21:57:24.0421 3824 UPS - ok
21:57:24.0609 3824 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
21:57:24.0625 3824 USBAAPL - ok
21:57:24.0656 3824 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:57:24.0656 3824 usbccgp - ok
21:57:24.0968 3824 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:57:25.0046 3824 usbehci - ok
21:57:25.0265 3824 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:57:25.0265 3824 usbhub - ok
21:57:25.0359 3824 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:57:25.0375 3824 usbprint - ok
21:57:25.0390 3824 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:57:25.0421 3824 usbscan - ok
21:57:25.0562 3824 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:57:25.0562 3824 usbstor - ok
21:57:25.0609 3824 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:57:25.0640 3824 usbuhci - ok
21:57:25.0703 3824 v2imount (16662738e1ab857fb91ed2d4065440b0) C:\WINDOWS\system32\DRIVERS\v2imount.sys
21:57:25.0703 3824 v2imount - ok
21:57:25.0750 3824 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:57:25.0765 3824 VgaSave - ok
21:57:25.0781 3824 ViaIde - ok
21:57:25.0953 3824 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:57:25.0953 3824 VolSnap - ok
21:57:25.0984 3824 VProEventMonitor (e14b7ae35be1e97830d42ec191d0dea2) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
21:57:26.0015 3824 VProEventMonitor - ok
21:57:26.0750 3824 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
21:57:26.0781 3824 VSS - ok
21:57:27.0000 3824 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
21:57:27.0015 3824 W32Time - ok
21:57:27.0078 3824 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:57:27.0078 3824 Wanarp - ok
21:57:27.0078 3824 WDICA - ok
21:57:27.0359 3824 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:57:27.0359 3824 wdmaud - ok
21:57:27.0562 3824 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
21:57:27.0593 3824 WebClient - ok
21:57:27.0640 3824 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
21:57:27.0703 3824 WimFltr - ok
21:57:29.0390 3824 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:57:29.0562 3824 winachsf - ok
21:57:29.0875 3824 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
21:57:29.0890 3824 winmgmt - ok
21:57:29.0984 3824 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
21:57:29.0984 3824 WmdmPmSN - ok
21:57:30.0703 3824 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
21:57:30.0703 3824 Wmi - ok
21:57:30.0765 3824 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:57:30.0828 3824 WmiApSrv - ok
21:57:33.0203 3824 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
21:57:33.0578 3824 WMPNetworkSvc - ok
21:57:33.0906 3824 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:57:33.0906 3824 WS2IFSL - ok
21:57:34.0156 3824 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
21:57:34.0171 3824 wscsvc - ok
21:57:34.0171 3824 WSearch - ok
21:57:34.0250 3824 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
21:57:34.0296 3824 wuauserv - ok
21:57:34.0562 3824 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:57:34.0562 3824 WudfPf - ok
21:57:34.0593 3824 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:57:34.0625 3824 WudfRd - ok
21:57:34.0656 3824 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
21:57:34.0703 3824 WudfSvc - ok
21:57:34.0812 3824 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
21:57:34.0875 3824 WZCSVC - ok
21:57:34.0921 3824 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
21:57:34.0984 3824 xmlprov - ok
21:57:35.0015 3824 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:57:35.0750 3824 \Device\Harddisk0\DR0 - ok
21:57:35.0765 3824 Boot (0x1200) (0a00df5c3b08974c82eeba435adf44e7) \Device\Harddisk0\DR0\Partition0
21:57:35.0765 3824 \Device\Harddisk0\DR0\Partition0 - ok
21:57:35.0765 3824 ============================================================
21:57:35.0765 3824 Scan finished
21:57:35.0765 3824 ============================================================
21:57:35.0765 2012 Detected object count: 1
21:57:35.0765 2012 Actual detected object count: 1
21:59:03.0359 2012 ACPI ( ForgedFile.Multi.Generic ) - skipped by user
21:59:03.0359 2012 ACPI ( ForgedFile.Multi.Generic ) - User select action: Skip
21:59:29.0140 1004 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 12 June 2012 - 08:29 AM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 12 June 2012 - 08:16 PM

OTL logfile created on: 6/12/2012 8:55:11 PM - Run 2
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Curt Thompson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.31 Gb Available Physical Memory | 65.65% Memory free
3.85 Gb Paging File | 3.17 Gb Available in Paging File | 82.32% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.81 Gb Total Space | 199.65 Gb Free Space | 85.76% Space Free | Partition Type: NTFS

Computer Name: CURT-8CB43AC215 | User Name: Curt Thompson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Curt Thompson\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Documents and Settings\Curt Thompson\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe ()
PRC - C:\Program Files\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
PRC - C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe (Portrait Displays Inc.)
PRC - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe ()
PRC - C:\Program Files\Portrait Displays\Pivot Pro Plugin\Floater.exe ()
PRC - C:\Program Files\Portrait Displays\Pivot Pro Plugin\wpCtrl.exe ()
PRC - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe (Portrait Displays, Inc.)
PRC - C:\Program Files\Secunia\PSI\psi.exe (Secunia)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Norton Save and Restore\Agent\VProTray.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe (DataViz, Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe ()
MOD - C:\Program Files\Common Files\Portrait Displays\Shared\DThook.dll ()
MOD - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe ()
MOD - C:\Program Files\Portrait Displays\Pivot Pro Plugin\Floater.exe ()
MOD - C:\Program Files\Portrait Displays\Pivot Pro Plugin\wpCtrl.exe ()


========== Win32 Services (SafeList) ==========

SRV - (aawservice) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe File not found
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (ScsiAccess) -- C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe ()
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
SRV - (DTSRVC) -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe ()
SRV - (PdiService) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe (Portrait Displays, Inc.)
SRV - (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (Norton Save and Restore) -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe (Symantec Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (TSP) -- C:\WINDOWS\system32\drivers\klif.sys File not found
DRV - (RimUsb) -- System32\Drivers\RimUsb.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (PalmUSBD) -- system32\drivers\PalmUSBD.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\CURTTH~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (avkmgr) -- C:\WINDOWS\system32\drivers\avkmgr.sys (Avira GmbH)
DRV - (Linksys_adapter_H) -- C:\WINDOWS\system32\drivers\AE2500xp.sys (Broadcom Corporation)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (Pivot) -- C:\WINDOWS\system32\drivers\pivot.sys (Portrait Displays, Inc.)
DRV - (pivotmou) -- C:\WINDOWS\system32\drivers\pivotmou.sys (Portrait Displays, Inc.)
DRV - (PdiPorts) -- C:\WINDOWS\system32\drivers\PdiPorts.sys (Portrait Displays, Inc.)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (symsnap) -- C:\WINDOWS\system32\drivers\symsnap.sys (StorageCraft)
DRV - (ACPI) -- C:\WINDOWS\system32\drivers\acpi.sys ()
DRV - (VProEventMonitor) -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys (Symantec Corporation)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (WimFltr) -- C:\WINDOWS\system32\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (v2imount) -- C:\WINDOWS\system32\drivers\v2imount.sys (Symantec Corporation)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfsync02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\system32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\system32\drivers\sfhlp02.sys (Protection Technology)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1547161642-57989841-725345543-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1547161642-57989841-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1547161642-57989841-725345543-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-1547161642-57989841-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2012/01/16 18:26:57 | 000,001,395 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 93.115.241.28 www.google-analytics.com.
O1 - Hosts: 93.115.241.28 ad-emea.doubleclick.net.
O1 - Hosts: 93.115.241.28 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DT ACR] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Norton Save and Restore 2.0] C:\Program Files\Norton Save and Restore\Agent\VProTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PivotSoftware] C:\Program Files\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartupDelayer] C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe (r2 studios)
O4 - HKU\S-1-5-21-1547161642-57989841-725345543-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1547161642-57989841-725345543-1008..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - Startup: C:\Documents and Settings\Curt Thompson\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Curt Thompson\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\Curt Thompson\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Rita Jane Thompson\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-57989841-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1547161642-57989841-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1547161642-57989841-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1547161642-57989841-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1547161642-57989841-725345543-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1547161642-57989841-725345543-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212897163296 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244838932468 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.209
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A19FDF49-CBEE-49CC-A41D-6631A8BD2024}: DhcpNameServer = 192.168.10.209
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/10 23:36:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/11 22:01:14 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Curt Thompson\Desktop\aswMBR.exe
[2012/06/10 20:33:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Curt Thompson\Recent
[2012/06/10 20:33:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/06/10 20:11:37 | 000,476,960 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/06/10 19:38:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/06/10 19:36:46 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/06/10 19:36:46 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/06/10 19:36:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/06/10 19:36:46 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/06/10 19:36:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/06/10 19:36:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/10 19:34:15 | 004,540,367 | R--- | C] (Swearware) -- C:\Documents and Settings\Curt Thompson\Desktop\ComboFix.exe
[2012/06/03 22:59:50 | 000,000,000 | ---D | C] -- C:\Program Files\Dropbox
[2012/05/24 21:56:00 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Curt Thompson\Desktop\dds.scr
[2012/05/15 21:54:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Curt Thompson\Application Data\WinRAR
[2012/05/14 20:53:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/05/14 20:53:52 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/05/14 20:53:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/05/13 23:02:56 | 002,075,184 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Curt Thompson\Desktop\tdsskiller.exe
[2012/05/13 22:39:27 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Curt Thompson\Desktop\OTL.exe
[2012/05/13 22:34:27 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\Curt Thompson\Desktop\unhide.exe
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/12 21:00:00 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1E6CEC75-9DAD-444D-BFEA-FB0811FAACFD}.job
[2012/06/12 20:56:00 | 000,000,448 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B305307A-3158-4119-9DBD-9B55DF3FB7E3}.job
[2012/06/12 20:33:45 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/12 20:33:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/12 20:31:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/11 23:02:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/11 22:01:13 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Curt Thompson\Desktop\aswMBR.exe
[2012/06/11 21:54:11 | 002,108,959 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\tdsskiller.zip
[2012/06/10 20:15:28 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/06/10 20:11:27 | 000,476,960 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/06/10 20:11:27 | 000,472,864 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/06/10 20:11:27 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/06/10 20:11:27 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/06/10 20:11:27 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/06/10 20:11:27 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/06/10 19:39:03 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/06/10 19:34:15 | 004,540,367 | R--- | M] (Swearware) -- C:\Documents and Settings\Curt Thompson\Desktop\ComboFix.exe
[2012/06/10 19:28:03 | 000,853,862 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\SecurityCheck.exe
[2012/06/09 20:57:25 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/06/03 22:59:55 | 000,001,052 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Start Menu\Programs\Startup\Dropbox.lnk
[2012/06/03 22:59:45 | 000,001,052 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\Dropbox.lnk
[2012/06/02 15:19:44 | 000,022,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll.mui
[2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2012/06/02 15:19:38 | 000,329,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wucltui.dll
[2012/06/02 15:19:38 | 000,219,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaucpl.cpl
[2012/06/02 15:19:38 | 000,210,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuweb.dll
[2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdm.dll
[2012/06/02 15:19:34 | 000,097,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cdm.dll
[2012/06/02 15:19:34 | 000,053,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuauclt.exe
[2012/06/02 15:19:34 | 000,045,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2012/06/02 15:19:34 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll
[2012/06/02 15:19:34 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wups.dll
[2012/06/02 15:19:34 | 000,015,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui
[2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2012/06/02 15:19:24 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuapi.dll
[2012/06/02 15:19:18 | 001,933,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wuaueng.dll
[2012/06/02 15:18:58 | 000,275,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2012/06/02 15:18:58 | 000,017,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2012/05/31 09:22:09 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2012/05/24 22:01:43 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\jqcj0v45.exe
[2012/05/24 21:56:01 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Curt Thompson\Desktop\dds.scr
[2012/05/24 21:53:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\defogger_reenable
[2012/05/24 21:52:28 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\Defogger.exe
[2012/05/16 22:40:44 | 001,857,786 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\ProcessExplorer.zip
[2012/05/15 21:54:04 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\TakeOwnership.zip
[2012/05/15 21:10:48 | 000,396,041 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\MiniToolBox.exe
[2012/05/14 20:53:56 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/05/14 20:53:56 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Curt Thompson\Desktop\Spybot - Search & Destroy.lnk
[2012/05/13 23:03:08 | 002,075,184 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Curt Thompson\Desktop\tdsskiller.exe
[2012/05/13 22:39:28 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Curt Thompson\Desktop\OTL.exe
[2012/05/13 22:32:10 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\Curt Thompson\Desktop\unhide.exe
[2012/05/13 21:05:11 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/10 19:39:03 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/06/10 19:39:00 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/06/10 19:36:46 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/06/10 19:36:46 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/06/10 19:36:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/06/10 19:36:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/06/10 19:36:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/06/10 19:28:00 | 000,853,862 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\SecurityCheck.exe
[2012/06/09 20:57:24 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Start Menu\Programs\Startup\Secunia PSI.lnk
[2012/05/24 22:01:43 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\jqcj0v45.exe
[2012/05/24 21:53:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\defogger_reenable
[2012/05/24 21:52:28 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\Defogger.exe
[2012/05/18 22:40:07 | 002,108,959 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\tdsskiller.zip
[2012/05/16 22:40:39 | 001,857,786 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\ProcessExplorer.zip
[2012/05/15 21:54:20 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\TakeOwnership.zip
[2012/05/15 21:10:47 | 000,396,041 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\MiniToolBox.exe
[2012/05/14 20:53:56 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/05/14 20:53:56 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Desktop\Spybot - Search & Destroy.lnk
[2012/05/13 22:36:33 | 000,001,766 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
[2012/05/13 22:36:33 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/05/13 22:36:33 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/05/13 22:36:33 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/05/13 22:36:33 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/05/13 22:36:32 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2012/05/13 22:36:32 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2012/05/13 22:36:32 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/05/13 22:36:32 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/05/13 22:36:32 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/05/13 22:36:30 | 000,001,754 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Belarc Advisor.lnk
[2012/05/13 22:36:29 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/05/13 22:36:29 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/02/15 21:22:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/27 12:07:50 | 000,060,464 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/09/03 15:07:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Curt Thompson\Local Settings\Application Data\{C911D419-5397-4DC3-BB81-C2A2DA401E9A}
[2011/07/05 11:18:12 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/05 11:18:12 | 000,273,344 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/05 11:18:12 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/07/05 11:17:55 | 002,123,582 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/06/30 21:14:07 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/06/29 22:13:17 | 000,007,432 | ---- | C] () -- C:\WINDOWS\System32\Machnm32.sys

< End of report >

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 13 June 2012 - 07:52 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    :otl
    FF - user.js - File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O4 - Startup: C:\Documents and Settings\Rita Jane Thompson\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = File not found
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O1 - Hosts: 93.115.241.28 www.google-analytics.com.
    O1 - Hosts: 93.115.241.28 ad-emea.doubleclick.net.
    O1 - Hosts: 93.115.241.28 www.statcounter.com.
    O1 - Hosts: 69.72.252.254 www.google-analytics.com.
    O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    O1 - Hosts: 69.72.252.254 www.statcounter.com.
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 13 June 2012 - 09:16 PM

========== OTL ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ not found.
File move failed. C:\Documents and Settings\Rita Jane Thompson\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Unable to save new HOSTS file
Unable to save new HOSTS file
Unable to save new HOSTS file
Unable to save new HOSTS file
Unable to save new HOSTS file
Unable to save new HOSTS file
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Curt Thompson\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Curt Thompson\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: Administrator.CURT-8CB43AC215

User: All Users

User: Curt IV

User: Curt Thompson
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

User: Rita Jane Thompson
->Java cache emptied: 0 bytes

User: Rita Thompson
->Java cache emptied: 0 bytes

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.CURT-8CB43AC215
->Flash cache emptied: 0 bytes

User: All Users

User: Curt IV

User: Curt Thompson
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Rita Jane Thompson
->Flash cache emptied: 0 bytes

User: Rita Thompson
->Flash cache emptied: 0 bytes

User: UpdatusUser
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.43.0 log created on 06132012_215530

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Rita Jane Thompson\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk not found!

Registry entries deleted on Reboot...



I'll let you know how the computer is doing after I have a chance to use it a little more to see if the issues reappear. Thanks

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 13 June 2012 - 09:26 PM

Please download RogueKiller

Save to the Desktop
Close all windows and browsers
Windows Seven: Right-click the downloaded file and select 'Run as Administrator'
Press: SCAN
A report opens on the Desktop: RKreport.txt

Please copy/paste the RKreport.txt , and provide it in your reply.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 14 June 2012 - 09:13 PM

Still having issues with redirects and pop-ups. Was redirected when I went to this site and clicked on the Forum tab. Rogue Killer report below.

RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Curt Thompson [Admin rights]
Mode: Scan -- Date: 06/14/2012 21:55:16

Bad processes: 0

Registry Entries: 4
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xA7315D84)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xA7315D3E)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xA7315D8E)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xA7315D34)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xA7315D43)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xA7315D4D)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xA7315D7F)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xA7315D52)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xA7315D20)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xA7315D25)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xA7315DA7)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xA7315D5C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xA7315D98)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xA7315D57)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xA7315D93)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xA7315D9D)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xA7315D48)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xA7315DA2)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xA7315D2F)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xA7315DB6)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xA7315DBB)

Infection :

HOSTS File:
127.0.0.1 localhost
::1 localhost
93.115.241.28 www.google-analytics.com.
93.115.241.28 ad-emea.doubleclick.net.
93.115.241.28 www.statcounter.com.
69.72.252.254 www.google-analytics.com.
69.72.252.254 ad-emea.doubleclick.net.
69.72.252.254 www.statcounter.com.


MBR Check:

+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] 24f09d89b02acb8cfdc9a85eb68a94a5
[BSP] d2393e4155972240bad9b8dae6cffc3b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238402 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 14 June 2012 - 09:20 PM

On theRogueKiller console, click the Hosts tab.
Make sure the entries there are checked, if there is an option to do so.
Then, press the [HostFix] button.

Please provide the RKreport (Mode: Delete) created on the Desktop.
(The RKreport also opens using the Report button on the console.)
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 15 June 2012 - 10:22 PM

ogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Curt Thompson [Admin rights]
Mode: Scan -- Date: 06/15/2012 23:03:20

Bad processes: 0

Registry Entries: 4
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xA649FB34)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xA649FAEE)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xA649FB3E)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xA649FAE4)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xA649FAF3)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xA649FAFD)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xA649FB2F)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xA649FB02)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xA649FAD0)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xA649FAD5)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xA649FB57)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xA649FB0C)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xA649FB48)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xA649FB07)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xA649FB43)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xA649FB4D)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xA649FAF8)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xA649FB52)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xA649FADF)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xA649FB66)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xA649FB6B)

Infection :

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] 24f09d89b02acb8cfdc9a85eb68a94a5
[BSP] d2393e4155972240bad9b8dae6cffc3b : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238402 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:50 AM

Posted 15 June 2012 - 10:26 PM

and how are things doing now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 CT3

CT3
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 16 June 2012 - 09:09 PM

Computer seems to be working as it should. No ads have appeared and no redirects have ocurred. Any advice you may have on preventing a repeat of this episode is appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users