Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and Rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 Catul

Catul

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 24 July 2012 - 08:42 AM

I'm helping a friend with an infected Windows XP computer - he initially had the fake "File Recovery" screen with multiple popups about an HD error. Google searches in IE are being redirected. Also, the screen keeps flashing often (going black and then back to the desktop again), this doesn't happen in Safe Mode. An earlier TDSKiller scan had detected (and supposedly cured) Rootkit.Boot.SST.b; at the direction of boopme from an earlier thread, I'm posting the DDS and GMER logs. GMER quit (force-killed?) after a few seconds of running so I restarted in Safe Mode and it ran fine.

I really appreciate any help with this, thank you very much!

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_32
Run by Steve at 15:43:20 on 2012-07-23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1440 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Steve\Local Settings\Application Data\Autobahn\nexdef.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: FCToolbarURLSearchHook Class: {f4babebc-3e23-47ad-bb74-cb384f30db83} - c:\program files\mileage plus shopping toolbar\Helper.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {74F6C5A9-0EAD-4a71-891E-376A838DF1F0} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {89867A4A-BDEE-4259-964A-B8E87C4892F3} - No File
BHO: {96CEA57F-AC68-4618-A1A2-DCF5428AF18B} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Mileage Plus Shopping Toolbar BHO: {deaacd6d-0008-4ca1-ae75-a00fec3f9aea} - c:\program files\mileage plus shopping toolbar\Toolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Mileage Plus Shopping Toolbar: {20f64390-6a1e-4496-807f-e98730f28ae5} - c:\program files\mileage plus shopping toolbar\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {E8558D71-5E4E-4217-B608-D2F5D3623AE3} - No File
TB: {D99F55AC-3BC6-45A9-95AC-AE07F0CDF943} - No File
TB: {EF91116F-DE92-4286-9087-093085152182} - No File
uRun: [CLRHost] c:\blp\api\office~1\bbxlcmd.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [FolderShare] "c:\program files\foldershare\FolderShare.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\nexdef~1.lnk - c:\documents and settings\steve\local settings\application data\autobahn\nexdef.exe
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4CB3C837-368E-4258-BF8F-E12317BF8AD4} - hxxp://www.tfservicecenter.com/TONEUpgradeFiles/sysreqs.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262716962662
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262716945418
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.5.10
TCP: Interfaces\{7AE35085-4255-43CF-A50A-1491E7C9A343} : DhcpNameServer = 192.168.5.10
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: cryptnet32 - cryptnet32.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\logmeinclient@logmein.com\plugins\npLMI64.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\docume~1\steve\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\steve\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-25 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-25 47640]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-3-16 14416]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2011-10-27 470528]
R2 PGPmemlock;PGP secure memory driver;c:\windows\system32\drivers\PGPmemlock.sys [2008-12-8 6656]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R2 TF Update;TF Update;c:\program files\thomson financial\thomson one\softdist\TF Update.exe [2003-11-6 225329]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2007-9-25 867328]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-6-12 102400]
S0 cerc6;cerc6; [x]
S2 5762;5762;\??\c:\docume~1\steve\locals~1\temp\5762.sys --> c:\docume~1\steve\locals~1\temp\5762.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-27 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-15 250056]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-3-16 44344]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-27 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 113120]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2012-4-29 20480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-12-4 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-07-23 14:12:37	--------	d-----w-	C:\FRST
2012-07-20 20:39:23	--------	d-----w-	c:\program files\ESET
2012-07-20 20:19:28	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-07-20 15:43:59	56200	----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9907d322-6e10-4260-8886-484d4306dd26}\offreg.dll
2012-07-20 01:19:30	6891424	----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9907d322-6e10-4260-8886-484d4306dd26}\mpengine.dll
.
==================== Find3M  ====================
.
2012-07-23 15:33:33	294845	----a-w-	c:\windows\system32\shimg.dll
2012-07-18 02:15:11	426184	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-07-18 02:15:10	70344	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-13 01:03:48	83392	----a-w-	c:\windows\system32\LMIRfsClientNP.dll
2012-07-13 01:03:48	52128	----a-w-	c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-07-13 01:03:47	87456	----a-w-	c:\windows\system32\LMIinit.dll
2012-07-13 01:03:47	30624	----a-w-	c:\windows\system32\LMIport.dll
2012-07-03 17:46:44	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-02 19:19:44	22040	----a-w-	c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38	219160	----a-w-	c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38	15384	----a-w-	c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34	15384	----a-w-	c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30	17944	----a-w-	c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09	599040	----a-w-	c:\windows\system32\crypt32.dll
2012-05-22 01:03:36	83360	----a-w-	c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-05-22 01:03:35	87424	----a-w-	c:\windows\system32\LMIinit.dll.000.bak
2012-05-15 13:20:33	1863168	----a-w-	c:\windows\system32\win32k.sys
2012-05-09 13:02:41	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-05-09 13:02:41	476960	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-05-09 13:02:41	472864	----a-w-	c:\windows\system32\deployJava1.dll
.
============= FINISH: 15:44:49.85 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-24 09:26:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.ZH10
Running: 15281g.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\uwddifod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                             fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                         0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0x00 0x5F 0xB8 0x0E ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x1D 0x58 0xBE 0x63 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x00 0x5F 0xB8 0x0E ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x00 0x5F 0xB8 0x0E ...

---- Files - GMER 1.0.15 ----

File            C:\System Volume Information\_restore{663BBE77-B9D0-457F-A8C4-ABF6874CDC90}\RP617\RestorePointSize                   8 bytes
File            C:\System Volume Information\_restore{663BBE77-B9D0-457F-A8C4-ABF6874CDC90}\RP617\rp.log                             536 bytes
File            C:\System Volume Information\_restore{663BBE77-B9D0-457F-A8C4-ABF6874CDC90}\RP617\snapshot                           0 bytes

---- EOF - GMER 1.0.15 ----



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:53 PM

Posted 29 July 2012 - 10:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462230 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Catul

Catul
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 30 July 2012 - 12:08 PM

I haven't used the computer since posting the logs a week ago, but have rerun DDS and GMER as instructed and the new logs are posted/attached below. Note that I ran these in Safe Mode as GMER quits (is forced to quit?) when running in normal mode. This computer is running Windows XP and Google searches are being redirected. I appreciate your help in fixing this, thanks very much!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_32
Run by Steve at 10:23:44 on 2012-07-30
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1711 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: FCToolbarURLSearchHook Class: {f4babebc-3e23-47ad-bb74-cb384f30db83} - c:\program files\mileage plus shopping toolbar\Helper.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {74F6C5A9-0EAD-4a71-891E-376A838DF1F0} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {89867A4A-BDEE-4259-964A-B8E87C4892F3} - No File
BHO: {96CEA57F-AC68-4618-A1A2-DCF5428AF18B} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Mileage Plus Shopping Toolbar BHO: {deaacd6d-0008-4ca1-ae75-a00fec3f9aea} - c:\program files\mileage plus shopping toolbar\Toolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: Mileage Plus Shopping Toolbar: {20f64390-6a1e-4496-807f-e98730f28ae5} - c:\program files\mileage plus shopping toolbar\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {E8558D71-5E4E-4217-B608-D2F5D3623AE3} - No File
TB: {D99F55AC-3BC6-45A9-95AC-AE07F0CDF943} - No File
TB: {EF91116F-DE92-4286-9087-093085152182} - No File
uRun: [CLRHost] c:\blp\api\office~1\bbxlcmd.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [FolderShare] "c:\program files\foldershare\FolderShare.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\nexdef~1.lnk - c:\documents and settings\steve\local settings\application data\autobahn\nexdef.exe
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4CB3C837-368E-4258-BF8F-E12317BF8AD4} - hxxp://www.tfservicecenter.com/TONEUpgradeFiles/sysreqs.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262716962662
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262716945418
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.5.10
TCP: Interfaces\{7AE35085-4255-43CF-A50A-1491E7C9A343} : DhcpNameServer = 192.168.5.10
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: cryptnet32 - cryptnet32.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\steve\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\logmeinclient@logmein.com\plugins\npLMI64.dll
FF - plugin: c:\documents and settings\steve\application data\mozilla\firefox\profiles\kzj0hcy9.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
S0 cerc6;cerc6; [x]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 SASDIFSV;SASDIFSV;c:\docume~1\steve\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\docume~1\steve\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
S2 5762;5762;\??\c:\docume~1\steve\locals~1\temp\5762.sys --> c:\docume~1\steve\locals~1\temp\5762.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-27 135664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374184]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-25 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-25 47640]
S2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-3-16 14416]
S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2011-10-27 470528]
S2 PGPmemlock;PGP secure memory driver;c:\windows\system32\drivers\PGPmemlock.sys [2008-12-8 6656]
S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
S2 TF Update;TF Update;c:\program files\thomson financial\thomson one\softdist\TF Update.exe [2003-11-6 225329]
S2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2007-9-25 867328]
S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-6-12 102400]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-15 250056]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-3-16 44344]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-27 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-2 113120]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2012-4-29 20480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-12-4 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-07-23 14:12:37	--------	d-----w-	C:\FRST
2012-07-20 20:39:23	--------	d-----w-	c:\program files\ESET
2012-07-20 20:19:28	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-07-20 15:43:59	56200	----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9907d322-6e10-4260-8886-484d4306dd26}\offreg.dll
2012-07-20 01:19:30	6891424	----a-w-	c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9907d322-6e10-4260-8886-484d4306dd26}\mpengine.dll
.
==================== Find3M  ====================
.
2012-07-23 15:33:33	294845	----a-w-	c:\windows\system32\shimg.dll
2012-07-18 02:15:11	426184	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-07-18 02:15:10	70344	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-13 01:03:48	83392	----a-w-	c:\windows\system32\LMIRfsClientNP.dll
2012-07-13 01:03:48	52128	----a-w-	c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-07-13 01:03:47	87456	----a-w-	c:\windows\system32\LMIinit.dll
2012-07-13 01:03:47	30624	----a-w-	c:\windows\system32\LMIport.dll
2012-07-03 17:46:44	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-02 19:19:44	22040	----a-w-	c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38	219160	----a-w-	c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38	15384	----a-w-	c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34	15384	----a-w-	c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30	17944	----a-w-	c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09	599040	----a-w-	c:\windows\system32\crypt32.dll
2012-05-22 01:03:36	83360	----a-w-	c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-05-22 01:03:35	87424	----a-w-	c:\windows\system32\LMIinit.dll.000.bak
2012-05-15 13:20:33	1863168	----a-w-	c:\windows\system32\win32k.sys
2012-05-09 13:02:41	73728	----a-w-	c:\windows\system32\javacpl.cpl
2012-05-09 13:02:41	476960	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-05-09 13:02:41	472864	----a-w-	c:\windows\system32\deployJava1.dll
.
============= FINISH: 10:24:15.14 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-30 12:45:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.ZH10
Running: 15281g.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\uwddifod.sys


---- Kernel code sections - GMER 1.0.15 ----

?               C:\DOCUME~1\Steve\LOCALS~1\Temp\mbr.sys                                                                              The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                             fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                         0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0x00 0x5F 0xB8 0x0E ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x1D 0x58 0xBE 0x63 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x00 0x5F 0xB8 0x0E ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0x46 0xC9 0xAA 0xDC ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                             0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xC2 0x9B 0x9C 0xCD ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x00 0x5F 0xB8 0x0E ...

---- Files - GMER 1.0.15 ----

File            C:\System Volume Information\_restore{663BBE77-B9D0-457F-A8C4-ABF6874CDC90}\RP617\RestorePointSize                   8 bytes
File            C:\System Volume Information\_restore{663BBE77-B9D0-457F-A8C4-ABF6874CDC90}\RP617\rp.log                             536 bytes
File            C:\System Volume Information\_restore{663BBE77-B9D0-457F-A8C4-ABF6874CDC90}\RP617\snapshot                           0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:53 PM

Posted 30 July 2012 - 04:57 PM

Hello Catul ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Catul

Catul
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 31 July 2012 - 10:45 AM

Fireman4it, thank you very much for helping me with this - it's really appreciated! I've followed your directions and posted the TDSKiller and ComboFix logs below. I ran both of these in Safe Mode; when in regular mode, the screen flashes to black every couple of seconds and the PC is virtually unusable (this could perhaps just be a video driver issue?). ComboFix did reboot at some point and went into regular mode but finished successfully.

It looks like Google searches are now working fine, and I don't see any other indications of malware. This video black flashing is a problem though; do you recommend I download the newest nVidia drivers and install them?

Thanks again; here are the requested logs.


10:16:23.0375 0684	TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
10:16:23.0640 0684	============================================================
10:16:23.0640 0684	Current date / time: 2012/07/31 10:16:23.0640
10:16:23.0640 0684	SystemInfo:
10:16:23.0640 0684	
10:16:23.0640 0684	OS Version: 5.1.2600 ServicePack: 3.0
10:16:23.0640 0684	Product type: Workstation
10:16:23.0640 0684	ComputerName: STEVE-P390
10:16:23.0640 0684	UserName: Steve
10:16:23.0640 0684	Windows directory: C:\WINDOWS
10:16:23.0640 0684	System windows directory: C:\WINDOWS
10:16:23.0640 0684	Processor architecture: Intel x86
10:16:23.0640 0684	Number of processors: 2
10:16:23.0640 0684	Page size: 0x1000
10:16:23.0640 0684	Boot type: Safe boot with network
10:16:23.0640 0684	============================================================
10:16:24.0265 0684	Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:16:24.0281 0684	Drive \Device\Harddisk1\DR1 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:16:24.0328 0684	Drive \Device\Harddisk6\DR13 - Size: 0x7AFFFE00 (1.92 Gb), SectorSize: 0x200, Cylinders: 0xFA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
10:16:24.0328 0684	============================================================
10:16:24.0328 0684	\Device\Harddisk0\DR0:
10:16:24.0328 0684	MBR partitions:
10:16:24.0328 0684	\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x94E7137
10:16:24.0328 0684	\Device\Harddisk1\DR1:
10:16:24.0328 0684	MBR partitions:
10:16:24.0328 0684	\Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2542D682
10:16:24.0328 0684	\Device\Harddisk6\DR13:
10:16:24.0328 0684	MBR partitions:
10:16:24.0328 0684	\Device\Harddisk6\DR13\Partition0: MBR, Type 0xB, StartLBA 0x80, BlocksNum 0x3D7F00
10:16:24.0328 0684	============================================================
10:16:24.0375 0684	D: <-> \Device\Harddisk1\DR1\Partition0
10:16:24.0437 0684	C: <-> \Device\Harddisk0\DR0\Partition0
10:16:24.0437 0684	============================================================
10:16:24.0437 0684	Initialize success
10:16:24.0437 0684	============================================================
10:16:33.0921 0964	============================================================
10:16:33.0921 0964	Scan started
10:16:33.0921 0964	Mode: Manual; TDLFS; 
10:16:33.0921 0964	============================================================
10:16:34.0218 0964	5762 - ok
10:16:34.0328 0964	6to4 - ok
10:16:34.0375 0964	Abiosdsk - ok
10:16:34.0390 0964	abp480n5 - ok
10:16:34.0468 0964	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:16:34.0468 0964	ACPI - ok
10:16:34.0515 0964	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:16:34.0515 0964	ACPIEC - ok
10:16:34.0562 0964	Adobe LM Service (c1eb9968ec89fba5f3a264e2e57923ab) C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
10:16:34.0562 0964	Adobe LM Service - ok
10:16:34.0703 0964	AdobeFlashPlayerUpdateSvc (5e1a953c6472e7bb644892a4d0df5e72) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
10:16:34.0703 0964	AdobeFlashPlayerUpdateSvc - ok
10:16:34.0718 0964	adpu160m - ok
10:16:34.0796 0964	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:16:34.0796 0964	aec - ok
10:16:34.0843 0964	AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:16:34.0843 0964	AFD - ok
10:16:34.0859 0964	Aha154x - ok
10:16:34.0875 0964	aic78u2 - ok
10:16:34.0906 0964	aic78xx - ok
10:16:34.0968 0964	Alerter         (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
10:16:34.0968 0964	Alerter - ok
10:16:35.0031 0964	ALG             (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
10:16:35.0031 0964	ALG - ok
10:16:35.0031 0964	AliIde - ok
10:16:35.0062 0964	amsint - ok
10:16:35.0140 0964	AnyDVD          (fb20f6220bcbbd6a4f870d4bf83bc12b) C:\WINDOWS\system32\Drivers\AnyDVD.sys
10:16:35.0140 0964	AnyDVD - ok
10:16:35.0218 0964	AOL ACS         (85180cf88c5ebad73b452a43a004ca51) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
10:16:35.0218 0964	AOL ACS - ok
10:16:35.0296 0964	Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
10:16:35.0296 0964	Apple Mobile Device - ok
10:16:35.0375 0964	AppMgmt         (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
10:16:35.0390 0964	AppMgmt - ok
10:16:35.0421 0964	Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:16:35.0437 0964	Arp1394 - ok
10:16:35.0468 0964	asc - ok
10:16:35.0484 0964	asc3350p - ok
10:16:35.0500 0964	asc3550 - ok
10:16:35.0718 0964	aspnet_state    (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
10:16:35.0781 0964	aspnet_state - ok
10:16:35.0828 0964	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:16:35.0828 0964	AsyncMac - ok
10:16:35.0875 0964	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:16:35.0875 0964	atapi - ok
10:16:35.0890 0964	Atdisk - ok
10:16:35.0953 0964	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:16:35.0968 0964	Atmarpc - ok
10:16:36.0015 0964	AudioSrv        (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
10:16:36.0015 0964	AudioSrv - ok
10:16:36.0046 0964	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:16:36.0046 0964	audstub - ok
10:16:36.0109 0964	b57w2k          (bb1a2a73f993b623f99e03ed2f9e014c) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
10:16:36.0109 0964	b57w2k - ok
10:16:36.0171 0964	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:16:36.0171 0964	Beep - ok
10:16:36.0312 0964	Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
10:16:36.0312 0964	Bonjour Service - ok
10:16:36.0359 0964	Browser         (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
10:16:36.0359 0964	Browser - ok
10:16:36.0390 0964	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:16:36.0390 0964	cbidf2k - ok
10:16:36.0531 0964	CCALib8         (359e5a91d26d0439933bef1c29cedef7) C:\Program Files\Canon\CAL\CALMAIN.exe
10:16:36.0531 0964	CCALib8 - ok
10:16:36.0578 0964	CCDECODE        (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:16:36.0578 0964	CCDECODE - ok
10:16:36.0578 0964	cd20xrnt - ok
10:16:36.0625 0964	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:16:36.0625 0964	Cdaudio - ok
10:16:36.0656 0964	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:16:36.0671 0964	Cdfs - ok
10:16:36.0718 0964	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:16:36.0718 0964	Cdrom - ok
10:16:36.0734 0964	cerc6 - ok
10:16:36.0750 0964	Changer - ok
10:16:36.0796 0964	CiSvc           (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
10:16:36.0796 0964	CiSvc - ok
10:16:36.0812 0964	ClipSrv         (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
10:16:36.0812 0964	ClipSrv - ok
10:16:36.0921 0964	clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:16:36.0984 0964	clr_optimization_v2.0.50727_32 - ok
10:16:37.0093 0964	clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
10:16:37.0093 0964	clr_optimization_v4.0.30319_32 - ok
10:16:37.0109 0964	CmdIde - ok
10:16:37.0125 0964	COMSysApp - ok
10:16:37.0187 0964	Cpqarray - ok
10:16:37.0234 0964	CryptSvc        (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
10:16:37.0234 0964	CryptSvc - ok
10:16:37.0250 0964	dac2w2k - ok
10:16:37.0265 0964	dac960nt - ok
10:16:37.0328 0964	DcomLaunch      (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:16:37.0484 0964	DcomLaunch - ok
10:16:37.0531 0964	Dhcp            (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
10:16:37.0531 0964	Dhcp - ok
10:16:37.0578 0964	Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:16:37.0578 0964	Disk - ok
10:16:37.0625 0964	DLABOIOM        (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
10:16:37.0625 0964	DLABOIOM - ok
10:16:37.0625 0964	DLACDBHM        (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
10:16:37.0640 0964	DLACDBHM - ok
10:16:37.0656 0964	DLADResN        (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
10:16:37.0656 0964	DLADResN - ok
10:16:37.0687 0964	DLAIFS_M        (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
10:16:37.0687 0964	DLAIFS_M - ok
10:16:37.0703 0964	DLAOPIOM        (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
10:16:37.0718 0964	DLAOPIOM - ok
10:16:37.0734 0964	DLAPoolM        (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
10:16:37.0734 0964	DLAPoolM - ok
10:16:37.0750 0964	DLARTL_N        (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
10:16:37.0750 0964	DLARTL_N - ok
10:16:37.0781 0964	DLAUDFAM        (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
10:16:37.0781 0964	DLAUDFAM - ok
10:16:37.0796 0964	DLAUDF_M        (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
10:16:37.0796 0964	DLAUDF_M - ok
10:16:37.0812 0964	dmadmin - ok
10:16:37.0906 0964	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:16:37.0921 0964	dmboot - ok
10:16:37.0937 0964	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
10:16:37.0937 0964	dmio - ok
10:16:37.0953 0964	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:16:37.0953 0964	dmload - ok
10:16:37.0984 0964	dmserver        (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
10:16:38.0000 0964	dmserver - ok
10:16:38.0031 0964	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:16:38.0031 0964	DMusic - ok
10:16:38.0062 0964	Dnscache        (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
10:16:38.0062 0964	Dnscache - ok
10:16:38.0093 0964	Dot3svc         (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
10:16:38.0093 0964	Dot3svc - ok
10:16:38.0109 0964	dpti2o - ok
10:16:38.0156 0964	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:16:38.0156 0964	drmkaud - ok
10:16:38.0187 0964	DRVMCDB         (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
10:16:38.0187 0964	DRVMCDB - ok
10:16:38.0203 0964	DRVNDDM         (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
10:16:38.0203 0964	DRVNDDM - ok
10:16:38.0234 0964	EapHost         (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
10:16:38.0234 0964	EapHost - ok
10:16:38.0265 0964	ElbyCDIO        (d71233d7ccc2e64f8715a20428d5a33b) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
10:16:38.0265 0964	ElbyCDIO - ok
10:16:38.0296 0964	ERSvc           (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
10:16:38.0296 0964	ERSvc - ok
10:16:38.0343 0964	Eventlog        (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:16:38.0359 0964	Eventlog - ok
10:16:38.0421 0964	EventSystem     (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
10:16:38.0421 0964	EventSystem - ok
10:16:38.0453 0964	eyeonedp        (8313a6af9de34a9d24df2329a548b004) C:\WINDOWS\system32\DRIVERS\eyeonedp.sys
10:16:38.0468 0964	eyeonedp - ok
10:16:38.0515 0964	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:16:38.0515 0964	Fastfat - ok
10:16:38.0562 0964	FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:16:38.0562 0964	FastUserSwitchingCompatibility - ok
10:16:38.0625 0964	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
10:16:38.0625 0964	Fdc - ok
10:16:38.0703 0964	FilterService   (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
10:16:38.0703 0964	FilterService - ok
10:16:38.0750 0964	Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:16:38.0750 0964	Fips - ok
10:16:38.0796 0964	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:16:38.0796 0964	Flpydisk - ok
10:16:38.0812 0964	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:16:38.0812 0964	FltMgr - ok
10:16:38.0937 0964	FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:16:38.0937 0964	FontCache3.0.0.0 - ok
10:16:39.0000 0964	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:16:39.0000 0964	Fs_Rec - ok
10:16:39.0031 0964	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:16:39.0031 0964	Ftdisk - ok
10:16:39.0062 0964	GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
10:16:39.0078 0964	GEARAspiWDM - ok
10:16:39.0125 0964	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:16:39.0125 0964	Gpc - ok
10:16:39.0234 0964	gupdate         (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
10:16:39.0234 0964	gupdate - ok
10:16:39.0250 0964	gupdatem        (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
10:16:39.0250 0964	gupdatem - ok
10:16:39.0312 0964	gusvc           (5467f1ff0af264566740f67e8b810735) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
10:16:39.0312 0964	gusvc - ok
10:16:39.0359 0964	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:16:39.0359 0964	HDAudBus - ok
10:16:39.0406 0964	helpsvc         (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:16:39.0421 0964	helpsvc - ok
10:16:39.0484 0964	HidServ         (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
10:16:39.0484 0964	HidServ - ok
10:16:39.0531 0964	HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:16:39.0531 0964	HidUsb - ok
10:16:39.0562 0964	hkmsvc          (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
10:16:39.0562 0964	hkmsvc - ok
10:16:39.0578 0964	hpn - ok
10:16:39.0640 0964	HSFHWBS2        (e51b7370d35e0006edf0e12b610c3489) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
10:16:39.0640 0964	HSFHWBS2 - ok
10:16:39.0734 0964	HSF_DPV         (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
10:16:39.0750 0964	HSF_DPV - ok
10:16:39.0812 0964	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:16:39.0812 0964	HTTP - ok
10:16:39.0843 0964	HTTPFilter      (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
10:16:39.0843 0964	HTTPFilter - ok
10:16:39.0859 0964	i2omgmt - ok
10:16:39.0875 0964	i2omp - ok
10:16:39.0921 0964	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:16:39.0921 0964	i8042prt - ok
10:16:40.0031 0964	IAANTMON        (d72f2a013ada9e2dda417887a8dfd217) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
10:16:40.0031 0964	IAANTMON - ok
10:16:40.0125 0964	iaStor          (de01bf14ffb150c779fd561bd0e3c5c5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
10:16:40.0125 0964	iaStor - ok
10:16:40.0203 0964	IDriverT        (daf66902f08796f9c694901660e5a64a) C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
10:16:40.0203 0964	IDriverT - ok
10:16:40.0375 0964	idsvc           (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:16:40.0390 0964	idsvc - ok
10:16:40.0421 0964	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:16:40.0421 0964	Imapi - ok
10:16:40.0468 0964	ImapiService    (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
10:16:40.0484 0964	ImapiService - ok
10:16:40.0500 0964	ini910u - ok
10:16:40.0531 0964	IntelIde - ok
10:16:40.0578 0964	intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:16:40.0578 0964	intelppm - ok
10:16:40.0609 0964	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:16:40.0609 0964	Ip6Fw - ok
10:16:40.0640 0964	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:16:40.0640 0964	IpFilterDriver - ok
10:16:40.0656 0964	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:16:40.0656 0964	IpInIp - ok
10:16:40.0703 0964	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:16:40.0718 0964	IpNat - ok
10:16:40.0875 0964	iPod Service    (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
10:16:40.0890 0964	iPod Service - ok
10:16:40.0937 0964	IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:16:40.0937 0964	IPSec - ok
10:16:40.0968 0964	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:16:40.0968 0964	IRENUM - ok
10:16:41.0046 0964	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:16:41.0046 0964	isapnp - ok
10:16:41.0187 0964	JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe
10:16:41.0187 0964	JavaQuickStarterService - ok
10:16:41.0234 0964	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:16:41.0234 0964	Kbdclass - ok
10:16:41.0281 0964	kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:16:41.0281 0964	kbdhid - ok
10:16:41.0328 0964	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:16:41.0343 0964	kmixer - ok
10:16:41.0375 0964	KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:16:41.0375 0964	KSecDD - ok
10:16:41.0453 0964	lanmanserver    (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
10:16:41.0453 0964	lanmanserver - ok
10:16:41.0500 0964	lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
10:16:41.0515 0964	lanmanworkstation - ok
10:16:41.0515 0964	lbrtfdc - ok
10:16:41.0578 0964	LmHosts         (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
10:16:41.0578 0964	LmHosts - ok
10:16:41.0718 0964	LMIGuardianSvc  (63daf163d1617dd611bd0ab8e41a43e8) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
10:16:41.0750 0964	LMIGuardianSvc - ok
10:16:41.0796 0964	LMIInfo         (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
10:16:41.0812 0964	LMIInfo - ok
10:16:41.0843 0964	LMIMaint        (175f50f37eeaa1d4d744bcccbb7cf68c) C:\Program Files\LogMeIn\x86\RaMaint.exe
10:16:41.0843 0964	LMIMaint - ok
10:16:41.0890 0964	LMImirr         (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\LMImirr.sys
10:16:41.0890 0964	LMImirr - ok
10:16:41.0906 0964	LMIRfsClientNP - ok
10:16:41.0937 0964	LMIRfsDriver    (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
10:16:41.0937 0964	LMIRfsDriver - ok
10:16:42.0000 0964	LogMeIn         (432618fa75b61059d2c57d6a7e55147a) C:\Program Files\LogMeIn\x86\LogMeIn.exe
10:16:42.0015 0964	LogMeIn - ok
10:16:42.0109 0964	lvpopflt        (af280405c10f0d20f37670b7432e5c2f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
10:16:42.0109 0964	lvpopflt - ok
10:16:42.0187 0964	LVRS            (e52f5a2cadcf08d07f559962f807a0a2) C:\WINDOWS\system32\DRIVERS\lvrs.sys
10:16:42.0203 0964	LVRS - ok
10:16:42.0750 0964	LVUVC           (c3d02260beb2b48dea1efdfca91e4b69) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
10:16:43.0000 0964	LVUVC - ok
10:16:43.0125 0964	mdmxsdk         (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
10:16:43.0125 0964	mdmxsdk - ok
10:16:43.0187 0964	Messenger       (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
10:16:43.0187 0964	Messenger - ok
10:16:43.0218 0964	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:16:43.0218 0964	mnmdd - ok
10:16:43.0265 0964	mnmsrvc         (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
10:16:43.0265 0964	mnmsrvc - ok
10:16:43.0296 0964	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:16:43.0296 0964	Modem - ok
10:16:43.0343 0964	MODEMCSA        (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
10:16:43.0343 0964	MODEMCSA - ok
10:16:43.0375 0964	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:16:43.0375 0964	Mouclass - ok
10:16:43.0421 0964	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:16:43.0437 0964	mouhid - ok
10:16:43.0468 0964	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:16:43.0468 0964	MountMgr - ok
10:16:43.0593 0964	MozillaMaintenance (15d5398eed42c2504bb3d4fc875c15d1) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
10:16:43.0593 0964	MozillaMaintenance - ok
10:16:43.0625 0964	MpFilter        (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
10:16:43.0625 0964	MpFilter - ok
10:16:43.0640 0964	mraid35x - ok
10:16:43.0703 0964	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:16:43.0703 0964	MRxDAV - ok
10:16:43.0750 0964	MRxSmb          (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:16:43.0750 0964	MRxSmb - ok
10:16:43.0781 0964	MSDTC           (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
10:16:43.0781 0964	MSDTC - ok
10:16:43.0843 0964	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:16:43.0843 0964	Msfs - ok
10:16:43.0859 0964	MSIServer - ok
10:16:43.0890 0964	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:16:43.0890 0964	MSKSSRV - ok
10:16:43.0921 0964	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:16:43.0921 0964	MSPCLOCK - ok
10:16:43.0984 0964	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:16:43.0984 0964	MSPQM - ok
10:16:44.0000 0964	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:16:44.0000 0964	mssmbios - ok
10:16:44.0109 0964	MSTEE           (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:16:44.0109 0964	MSTEE - ok
10:16:44.0125 0964	Mup             (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:16:44.0125 0964	Mup - ok
10:16:44.0187 0964	NABTSFEC        (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:16:44.0187 0964	NABTSFEC - ok
10:16:44.0234 0964	napagent        (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
10:16:44.0250 0964	napagent - ok
10:16:44.0296 0964	NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:16:44.0296 0964	NDIS - ok
10:16:44.0328 0964	NdisIP          (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:16:44.0328 0964	NdisIP - ok
10:16:44.0359 0964	NdisTapi        (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:16:44.0359 0964	NdisTapi - ok
10:16:44.0390 0964	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:16:44.0390 0964	Ndisuio - ok
10:16:44.0453 0964	NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:16:44.0453 0964	NdisWan - ok
10:16:44.0484 0964	NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:16:44.0484 0964	NDProxy - ok
10:16:44.0515 0964	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:16:44.0515 0964	NetBIOS - ok
10:16:44.0562 0964	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:16:44.0562 0964	NetBT - ok
10:16:44.0640 0964	NetDDE          (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:16:44.0640 0964	NetDDE - ok
10:16:44.0656 0964	NetDDEdsdm      (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:16:44.0656 0964	NetDDEdsdm - ok
10:16:44.0703 0964	Netlogon        (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:16:44.0703 0964	Netlogon - ok
10:16:44.0734 0964	Netman          (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
10:16:44.0734 0964	Netman - ok
10:16:44.0890 0964	NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:16:44.0890 0964	NetTcpPortSharing - ok
10:16:44.0968 0964	NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:16:44.0968 0964	NIC1394 - ok
10:16:45.0046 0964	Nla             (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
10:16:45.0046 0964	Nla - ok
10:16:45.0093 0964	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:16:45.0093 0964	Npfs - ok
10:16:45.0140 0964	Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:16:45.0156 0964	Ntfs - ok
10:16:45.0171 0964	NtLmSsp         (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:16:45.0171 0964	NtLmSsp - ok
10:16:45.0250 0964	NtmsSvc         (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
10:16:45.0250 0964	NtmsSvc - ok
10:16:45.0296 0964	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:16:45.0296 0964	Null - ok
10:16:45.0593 0964	nv              (b19c2aae0922072ff4a467f2a37620ad) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:16:45.0671 0964	nv - ok
10:16:45.0843 0964	NVSvc           (9f40402087b6d4a428571dd6ca83ac1e) C:\WINDOWS\system32\nvsvc32.exe
10:16:45.0843 0964	NVSvc - ok
10:16:45.0875 0964	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:16:45.0875 0964	NwlnkFlt - ok
10:16:45.0906 0964	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:16:45.0906 0964	NwlnkFwd - ok
10:16:46.0046 0964	odserv          (1f0e05dff4f5a833168e49be1256f002) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
10:16:46.0046 0964	odserv - ok
10:16:46.0109 0964	ohci1394        (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:16:46.0109 0964	ohci1394 - ok
10:16:46.0156 0964	ose             (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:16:46.0171 0964	ose - ok
10:16:46.0234 0964	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:16:46.0234 0964	Parport - ok
10:16:46.0265 0964	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:16:46.0265 0964	PartMgr - ok
10:16:46.0296 0964	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:16:46.0296 0964	ParVdm - ok
10:16:46.0312 0964	PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:16:46.0312 0964	PCI - ok
10:16:46.0343 0964	PCIDump - ok
10:16:46.0359 0964	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:16:46.0359 0964	PCIIde - ok
10:16:46.0421 0964	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:16:46.0421 0964	Pcmcia - ok
10:16:46.0421 0964	PDCOMP - ok
10:16:46.0453 0964	PDFRAME - ok
10:16:46.0500 0964	PDIHWCTL        (274fb48dc92e0ec012d4d8d866cfaf8a) C:\WINDOWS\system32\drivers\pdihwctl.sys
10:16:46.0500 0964	PDIHWCTL - ok
10:16:46.0515 0964	PDRELI - ok
10:16:46.0531 0964	PDRFRAME - ok
10:16:46.0656 0964	PenCommService  (edffbc067c9321d2076b3d6f33e0d4c6) C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
10:16:46.0656 0964	PenCommService - ok
10:16:46.0687 0964	perc2 - ok
10:16:46.0703 0964	perc2hib - ok
10:16:46.0781 0964	PGPmemlock      (a549dc21b37f1eece4e89acc993aaabb) C:\WINDOWS\system32\drivers\PGPmemlock.sys
10:16:46.0781 0964	PGPmemlock - ok
10:16:46.0828 0964	PlugPlay        (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:16:46.0828 0964	PlugPlay - ok
10:16:46.0859 0964	PolicyAgent     (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:16:46.0859 0964	PolicyAgent - ok
10:16:46.0906 0964	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:16:46.0906 0964	PptpMiniport - ok
10:16:46.0921 0964	ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:16:46.0921 0964	ProtectedStorage - ok
10:16:46.0953 0964	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:16:46.0953 0964	PSched - ok
10:16:46.0984 0964	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:16:46.0984 0964	Ptilink - ok
10:16:47.0046 0964	PulseUsb        (82749a87e49fdc46e6d1b9627507dd75) C:\WINDOWS\system32\DRIVERS\PulseUsb.sys
10:16:47.0046 0964	PulseUsb - ok
10:16:47.0093 0964	PxHelp20        (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:16:47.0093 0964	PxHelp20 - ok
10:16:47.0109 0964	ql1080 - ok
10:16:47.0125 0964	Ql10wnt - ok
10:16:47.0140 0964	ql12160 - ok
10:16:47.0171 0964	ql1240 - ok
10:16:47.0187 0964	ql1280 - ok
10:16:47.0234 0964	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:16:47.0234 0964	RasAcd - ok
10:16:47.0281 0964	RasAuto         (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
10:16:47.0281 0964	RasAuto - ok
10:16:47.0328 0964	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:16:47.0328 0964	Rasl2tp - ok
10:16:47.0375 0964	RasMan          (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
10:16:47.0390 0964	RasMan - ok
10:16:47.0421 0964	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:16:47.0421 0964	RasPppoe - ok
10:16:47.0437 0964	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:16:47.0437 0964	Raspti - ok
10:16:47.0484 0964	Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:16:47.0484 0964	Rdbss - ok
10:16:47.0515 0964	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:16:47.0515 0964	RDPCDD - ok
10:16:47.0546 0964	rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:16:47.0562 0964	rdpdr - ok
10:16:47.0609 0964	RDPWD           (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
10:16:47.0609 0964	RDPWD - ok
10:16:47.0656 0964	RDSessMgr       (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
10:16:47.0656 0964	RDSessMgr - ok
10:16:47.0703 0964	redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:16:47.0703 0964	redbook - ok
10:16:47.0750 0964	RemoteAccess    (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
10:16:47.0765 0964	RemoteAccess - ok
10:16:47.0796 0964	RemoteRegistry  (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
10:16:47.0796 0964	RemoteRegistry - ok
10:16:47.0937 0964	RetroLauncher   (adaacc89440eb9e92f1cdf2e40383af3) C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
10:16:47.0937 0964	RetroLauncher - ok
10:16:48.0015 0964	Retrospect Helper (708a7a410159191797f19868ef9aee4c) C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe
10:16:48.0015 0964	Retrospect Helper - ok
10:16:48.0109 0964	RichVideo       (2af094b1ce4725e4551f38fda2348637) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
10:16:48.0109 0964	RichVideo - ok
10:16:48.0140 0964	RpcLocator      (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
10:16:48.0156 0964	RpcLocator - ok
10:16:48.0250 0964	RpcSs           (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:16:48.0250 0964	RpcSs - ok
10:16:48.0296 0964	rspndr          (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
10:16:48.0296 0964	rspndr - ok
10:16:48.0343 0964	RSVP            (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
10:16:48.0343 0964	RSVP - ok
10:16:48.0390 0964	SamSs           (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:16:48.0390 0964	SamSs - ok
10:16:48.0640 0964	SASDIFSV        (a3281aec37e0720a2bc28034c2df2a56) C:\DOCUME~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
10:16:48.0640 0964	SASDIFSV - ok
10:16:48.0703 0964	SASKUTIL        (61db0d0756a99506207fd724e3692b25) C:\DOCUME~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
10:16:48.0703 0964	SASKUTIL - ok
10:16:48.0734 0964	SCardSvr        (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
10:16:48.0734 0964	SCardSvr - ok
10:16:48.0781 0964	Schedule        (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
10:16:48.0796 0964	Schedule - ok
10:16:48.0828 0964	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:16:48.0828 0964	Secdrv - ok
10:16:48.0875 0964	seclogon        (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
10:16:48.0875 0964	seclogon - ok
10:16:48.0906 0964	SENS            (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
10:16:48.0906 0964	SENS - ok
10:16:48.0937 0964	serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:16:48.0937 0964	serenum - ok
10:16:49.0031 0964	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:16:49.0031 0964	Serial - ok
10:16:49.0140 0964	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:16:49.0140 0964	Sfloppy - ok
10:16:49.0234 0964	ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:16:49.0234 0964	ShellHWDetection - ok
10:16:49.0250 0964	Simbad - ok
10:16:49.0406 0964	SlingAgentService (0973bd0931bf4d0dfb1885bd464e9766) C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
10:16:49.0406 0964	SlingAgentService - ok
10:16:49.0453 0964	SLIP            (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:16:49.0453 0964	SLIP - ok
10:16:49.0484 0964	Sparrow - ok
10:16:49.0515 0964	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:16:49.0515 0964	splitter - ok
10:16:49.0562 0964	Spooler         (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
10:16:49.0578 0964	Spooler - ok
10:16:49.0671 0964	sptd            (71e276f6d189413266ea22171806597b) C:\WINDOWS\System32\Drivers\sptd.sys
10:16:49.0687 0964	sptd - ok
10:16:49.0718 0964	sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:16:49.0718 0964	sr - ok
10:16:49.0765 0964	srservice       (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
10:16:49.0765 0964	srservice - ok
10:16:49.0812 0964	Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:16:49.0812 0964	Srv - ok
10:16:49.0843 0964	sscdbus         (d6870895fe46a464a19141440eb6cc1e) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
10:16:49.0843 0964	sscdbus - ok
10:16:49.0859 0964	sscdmdfl        (0fe167362e4689b716cdc8d93adedda8) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
10:16:49.0859 0964	sscdmdfl - ok
10:16:49.0890 0964	sscdmdm         (55a15707e32b6709242ad127e62ca55a) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
10:16:49.0906 0964	sscdmdm - ok
10:16:49.0968 0964	sscdserd        (9fa66e361a99f8920c7609bae6814a0e) C:\WINDOWS\system32\DRIVERS\sscdserd.sys
10:16:49.0968 0964	sscdserd - ok
10:16:50.0015 0964	SSDPSRV         (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
10:16:50.0015 0964	SSDPSRV - ok
10:16:50.0140 0964	STHDA           (9db5dbed65f2d74acd1d20a53898af79) C:\WINDOWS\system32\drivers\sthda.sys
10:16:50.0156 0964	STHDA - ok
10:16:50.0218 0964	stisvc          (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
10:16:50.0218 0964	stisvc - ok
10:16:50.0265 0964	streamip        (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:16:50.0265 0964	streamip - ok
10:16:50.0296 0964	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:16:50.0296 0964	swenum - ok
10:16:50.0375 0964	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:16:50.0375 0964	swmidi - ok
10:16:50.0375 0964	SwPrv - ok
10:16:50.0406 0964	symc810 - ok
10:16:50.0437 0964	symc8xx - ok
10:16:50.0453 0964	sym_hi - ok
10:16:50.0468 0964	sym_u3 - ok
10:16:50.0531 0964	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:16:50.0531 0964	sysaudio - ok
10:16:50.0578 0964	SysmonLog       (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
10:16:50.0578 0964	SysmonLog - ok
10:16:50.0640 0964	TapiSrv         (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
10:16:50.0640 0964	TapiSrv - ok
10:16:50.0718 0964	Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:16:50.0718 0964	Tcpip - ok
10:16:50.0765 0964	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:16:50.0765 0964	TDPIPE - ok
10:16:50.0781 0964	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:16:50.0796 0964	TDTCP - ok
10:16:50.0812 0964	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:16:50.0812 0964	TermDD - ok
10:16:50.0875 0964	TermService     (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
10:16:50.0875 0964	TermService - ok
10:16:51.0031 0964	TF Update       (de3d451fe7234c3a2881f6f5edda218a) C:\Program Files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe
10:16:51.0031 0964	TF Update - ok
10:16:51.0078 0964	Themes          (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:16:51.0093 0964	Themes - ok
10:16:51.0187 0964	TivoBeacon2     (9196fee3a02d16f2726813bda31957e0) C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
10:16:51.0203 0964	TivoBeacon2 - ok
10:16:51.0265 0964	TlntSvr         (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
10:16:51.0265 0964	TlntSvr - ok
10:16:51.0281 0964	TosIde - ok
10:16:51.0343 0964	TrkWks          (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
10:16:51.0343 0964	TrkWks - ok
10:16:51.0421 0964	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:16:51.0421 0964	Udfs - ok
10:16:51.0453 0964	ultra - ok
10:16:51.0515 0964	Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:16:51.0515 0964	Update - ok
10:16:51.0562 0964	upnphost        (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
10:16:51.0562 0964	upnphost - ok
10:16:51.0593 0964	UPS             (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
10:16:51.0593 0964	UPS - ok
10:16:51.0656 0964	USBAAPL         (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:16:51.0656 0964	USBAAPL - ok
10:16:51.0734 0964	usbaudio        (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
10:16:51.0734 0964	usbaudio - ok
10:16:51.0765 0964	usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:16:51.0765 0964	usbccgp - ok
10:16:51.0812 0964	usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:16:51.0812 0964	usbehci - ok
10:16:51.0859 0964	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:16:51.0859 0964	usbhub - ok
10:16:51.0890 0964	usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:16:51.0890 0964	usbscan - ok
10:16:51.0921 0964	usbstor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:16:51.0921 0964	usbstor - ok
10:16:51.0968 0964	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:16:51.0968 0964	usbuhci - ok
10:16:52.0015 0964	usbvideo        (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
10:16:52.0015 0964	usbvideo - ok
10:16:52.0031 0964	usb_rndisx      (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
10:16:52.0031 0964	usb_rndisx - ok
10:16:52.0078 0964	VClone          (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
10:16:52.0078 0964	VClone - ok
10:16:52.0125 0964	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:16:52.0140 0964	VgaSave - ok
10:16:52.0140 0964	ViaIde - ok
10:16:52.0218 0964	VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:16:52.0218 0964	VolSnap - ok
10:16:52.0281 0964	VSS             (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
10:16:52.0281 0964	VSS - ok
10:16:52.0359 0964	W32Time         (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
10:16:52.0359 0964	W32Time - ok
10:16:52.0421 0964	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:16:52.0437 0964	Wanarp - ok
10:16:52.0468 0964	wanatw          (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
10:16:52.0468 0964	wanatw - ok
10:16:52.0500 0964	wceusbsh        (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
10:16:52.0500 0964	wceusbsh - ok
10:16:52.0578 0964	WDBtnMgrSvc.exe (7415145731bec8c47267a051f19418f2) C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
10:16:52.0593 0964	WDBtnMgrSvc.exe - ok
10:16:52.0609 0964	WDC_SAM         (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
10:16:52.0609 0964	WDC_SAM - ok
10:16:52.0671 0964	Wdf01000        (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:16:52.0671 0964	Wdf01000 - ok
10:16:52.0687 0964	WDICA - ok
10:16:52.0734 0964	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:16:52.0734 0964	wdmaud - ok
10:16:52.0765 0964	WebClient       (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
10:16:52.0765 0964	WebClient - ok
10:16:52.0859 0964	winachsf        (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
10:16:52.0875 0964	winachsf - ok
10:16:52.0953 0964	winmgmt         (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:16:52.0953 0964	winmgmt - ok
10:16:53.0031 0964	WmdmPmSN        (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
10:16:53.0031 0964	WmdmPmSN - ok
10:16:53.0125 0964	Wmi             (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
10:16:53.0140 0964	Wmi - ok
10:16:53.0187 0964	WmiApSrv        (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:16:53.0187 0964	WmiApSrv - ok
10:16:53.0375 0964	WMPNetworkSvc   (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:16:53.0390 0964	WMPNetworkSvc - ok
10:16:53.0656 0964	WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
10:16:53.0671 0964	WPFFontCache_v0400 - ok
10:16:53.0718 0964	WSearch - ok
10:16:53.0781 0964	WSTCODEC        (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:16:53.0781 0964	WSTCODEC - ok
10:16:53.0828 0964	WudfPf          (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:16:53.0828 0964	WudfPf - ok
10:16:53.0859 0964	WudfRd          (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:16:53.0859 0964	WudfRd - ok
10:16:53.0906 0964	WudfSvc         (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
10:16:53.0953 0964	WudfSvc - ok
10:16:54.0015 0964	WZCSVC          (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
10:16:54.0015 0964	WZCSVC - ok
10:16:54.0093 0964	xmlprov         (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
10:16:54.0093 0964	xmlprov - ok
10:16:54.0234 0964	MBR (0x1B8)     (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:16:55.0453 0964	\Device\Harddisk0\DR0 - ok
10:16:55.0468 0964	MBR (0x1B8)     (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
10:16:55.0562 0964	\Device\Harddisk1\DR1 - ok
10:16:55.0578 0964	MBR (0x1B8)     (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk6\DR13
10:16:55.0906 0964	\Device\Harddisk6\DR13 - ok
10:16:55.0937 0964	Boot (0x1200)   (03409f2e03f31f8c712275412075f830) \Device\Harddisk0\DR0\Partition0
10:16:55.0937 0964	\Device\Harddisk0\DR0\Partition0 - ok
10:16:55.0937 0964	Boot (0x1200)   (1344c8e99ba93f2e92911c237ace17a7) \Device\Harddisk1\DR1\Partition0
10:16:55.0953 0964	\Device\Harddisk1\DR1\Partition0 - ok
10:16:55.0968 0964	Boot (0x1200)   (8eaa5211a81dceed309afac8241fcf64) \Device\Harddisk6\DR13\Partition0
10:16:55.0968 0964	\Device\Harddisk6\DR13\Partition0 - ok
10:16:55.0968 0964	============================================================
10:16:55.0968 0964	Scan finished
10:16:55.0968 0964	============================================================
10:16:56.0015 1052	Detected object count: 0
10:16:56.0015 1052	Actual detected object count: 0

ComboFix 12-07-30.03 - Steve 07/31/2012  11:02:35.1.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1756 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\9MQ7jWq0h1s8iX
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Steve\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Steve\My Documents\~of9B.tmp
c:\documents and settings\Steve\My Documents\~WRL0129.tmp
c:\documents and settings\Steve\My Documents\~WRL0347.tmp
c:\documents and settings\Steve\My Documents\~WRL2195.tmp
c:\documents and settings\Steve\My Documents\~WRL2693.tmp
c:\documents and settings\Steve\My Documents\~WRL2876.tmp
c:\documents and settings\Steve\WINDOWS
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{578f6115-1fab-b742-d6c7-c74531ccc70b}\@
c:\windows\Installer\{578f6115-1fab-b742-d6c7-c74531ccc70b}\L\00000004.@
c:\windows\Installer\{578f6115-1fab-b742-d6c7-c74531ccc70b}\L\1afb2d56
c:\windows\Installer\{578f6115-1fab-b742-d6c7-c74531ccc70b}\L\201d3dde
c:\windows\Installer\{578f6115-1fab-b742-d6c7-c74531ccc70b}\U\000000cb.@
c:\windows\system32\SET5D9.tmp
c:\windows\system32\SET5DB.tmp
c:\windows\system32\SET5DF.tmp
c:\windows\system32\SET5E0.tmp
c:\windows\system32\SET5E7.tmp
c:\windows\system32\SET5E9.tmp
c:\windows\system32\SET86B.tmp
c:\windows\system32\SET86D.tmp
c:\windows\system32\shimg.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_AMSERVICE
-------\Legacy_NETWORKLOG
-------\Service_6to4
-------\Service_NetworkLog
.
.
(((((((((((((((((((((((((   Files Created from 2012-06-28 to 2012-07-31  )))))))))))))))))))))))))))))))
.
.
2012-07-23 14:12 . 2012-07-23 14:12	--------	d-----w-	C:\FRST
2012-07-21 20:03 . 2012-07-21 20:03	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-07-20 20:39 . 2012-07-20 20:39	--------	d-----w-	c:\program files\ESET
2012-07-20 20:19 . 2012-07-20 20:19	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-07-20 18:41 . 2012-07-20 18:41	--------	d-sh--w-	c:\documents and settings\NetworkService\UserData
2012-07-20 15:43 . 2012-07-20 15:48	56200	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9907D322-6E10-4260-8886-484D4306DD26}\offreg.dll
2012-07-20 01:19 . 2012-06-29 08:44	6891424	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9907D322-6E10-4260-8886-484D4306DD26}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 02:15 . 2012-04-16 01:32	426184	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-07-18 02:15 . 2011-05-20 00:21	70344	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-13 01:03 . 2007-06-25 14:29	83392	----a-w-	c:\windows\system32\LMIRfsClientNP.dll
2012-07-13 01:03 . 2007-03-16 16:18	52128	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-13 01:03 . 2007-03-16 16:18	30624	----a-w-	c:\windows\system32\LMIport.dll
2012-07-13 01:03 . 2007-03-16 16:18	87456	----a-w-	c:\windows\system32\LMIinit.dll
2012-07-03 17:46 . 2010-12-13 19:38	22344	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-06-29 08:44 . 2010-12-20 08:27	6891424	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-02 19:19 . 2009-08-07 00:24	22040	----a-w-	c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-07 00:24	15384	----a-w-	c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2007-03-15 23:12	329240	----a-w-	c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2007-03-15 23:12	210968	----a-w-	c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-03-15 23:12	219160	----a-w-	c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2009-08-07 00:24	45080	----a-w-	c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-07 00:24	15384	----a-w-	c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-04-14 12:00	97304	----a-w-	c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2007-03-15 23:12	53784	----a-w-	c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2007-03-15 23:12	35864	----a-w-	c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-07 00:24	17944	----a-w-	c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2007-03-15 23:12	577048	----a-w-	c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2007-03-15 23:12	1933848	----a-w-	c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2008-04-14 12:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2012-05-22 01:03 . 2007-06-25 14:29	83360	----a-w-	c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-05-22 01:03 . 2007-03-16 16:18	87424	----a-w-	c:\windows\system32\LMIinit.dll.000.bak
2012-05-15 13:20 . 2008-04-14 12:00	1863168	----a-w-	c:\windows\system32\win32k.sys
2012-05-09 13:02 . 2012-05-09 13:03	476960	----a-w-	c:\windows\system32\npdeployJava1.dll
2012-05-09 13:02 . 2012-05-09 13:03	472864	----a-w-	c:\windows\system32\deployJava1.dll
2012-05-09 13:02 . 2007-03-16 15:35	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-10-26 15:58 . 2009-01-27 14:55	113976	----a-w-	c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-10-26 15:58 . 2009-01-27 14:55	574264	----a-w-	c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-27 14:55 . 2009-01-27 14:55	46408	----a-w-	c:\program files\mozilla firefox\plugins\atmccli.dll
2009-01-27 14:55 . 2009-01-27 14:55	98712	----a-w-	c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-05-22 23:14 . 2007-03-16 16:19	8784	----a-w-	c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 . 2007-03-16 16:19	245408	----a-w-	c:\program files\mozilla firefox\plugins\unicows.dll
2012-06-19 03:23 . 2011-05-09 14:36	85472	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f4babebc-3e23-47ad-bb74-cb384f30db83}"= "c:\program files\Mileage Plus Shopping Toolbar\Helper.dll" [2011-04-25 357376]
.
[HKEY_CLASSES_ROOT\clsid\{f4babebc-3e23-47ad-bb74-cb384f30db83}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{B217248C-5228-4879-8DD6-607E8717DBB4}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEAACD6D-0008-4CA1-AE75-A00FEC3F9AEA}]
2011-04-25 23:53	1547776	----a-w-	c:\program files\Mileage Plus Shopping Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{20F64390-6A1E-4496-807F-E98730F28AE5}"= "c:\program files\Mileage Plus Shopping Toolbar\Toolbar.dll" [2011-04-25 1547776]
.
[HKEY_CLASSES_ROOT\clsid\{20f64390-6a1e-4496-807f-e98730f28ae5}]
[HKEY_CLASSES_ROOT\FCTB000063627.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{163ACE41-A907-46D8-8BEF-EDB300DBE06A}]
[HKEY_CLASSES_ROOT\FCTB000063627.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{20F64390-6A1E-4496-807F-E98730F28AE5}"= "c:\program files\Mileage Plus Shopping Toolbar\Toolbar.dll" [2011-04-25 1547776]
.
[HKEY_CLASSES_ROOT\clsid\{20f64390-6a1e-4496-807f-e98730f28ae5}]
[HKEY_CLASSES_ROOT\FCTB000063627.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{163ACE41-A907-46D8-8BEF-EDB300DBE06A}]
[HKEY_CLASSES_ROOT\FCTB000063627.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CLRHost"="c:\blp\API\OFFICE~1\bbxlcmd.exe" [2007-07-20 102400]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-02-20 5860984]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-02 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]
"nwiz"="nwiz.exe" [2006-07-12 1519616]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-06-12 430080]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-12 86016]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Steve\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-6-13 1014112]
NexDef Plug-in.lnk - c:\documents and settings\Steve\Local Settings\Application Data\Autobahn\nexdef.exe [2011-8-11 15490560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2007-3-16 708608]
MFT Signals.lnk - c:\program files\MFT Signals\StartDesktopAlerts.exe [2010-8-10 45056]
PGPtray.lnk - c:\program files\Network Associates\PGPNT\PGPTray.exe [2008-12-8 57344]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2007-3-16 954368]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-07-13 01:03	87456	----a-w-	c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=c:\windows\pss\Anapod Manager.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-04-02 01:17	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
2007-09-25 14:34	384000	----a-w-	c:\program files\TiVo\Desktop\TiVoNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
2007-09-25 14:35	1495040	----a-w-	c:\program files\TiVo\Desktop\TiVoServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
2007-09-25 14:33	1195008	----a-w-	c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 7:37 AM 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/25/2007 10:28 AM 12856]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [3/16/2007 12:00 PM 14416]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [10/27/2011 6:56 PM 470528]
R2 PGPmemlock;PGP secure memory driver;c:\windows\system32\drivers\PGPmemlock.sys [12/8/2008 12:34 PM 6656]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R2 TF Update;TF Update;c:\program files\Thomson Financial\Thomson ONE\Softdist\TF Update.exe [11/6/2003 10:54 AM 225329]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [9/25/2007 10:33 AM 867328]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [6/12/2008 11:13 AM 102400]
S0 cerc6;cerc6; [x]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 5762;5762;\??\c:\docume~1\Steve\LOCALS~1\Temp\5762.sys --> c:\docume~1\Steve\LOCALS~1\Temp\5762.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 1:24 PM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/15/2012 9:32 PM 250056]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [3/16/2007 12:00 PM 44344]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 1:24 PM 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/2/2012 8:30 PM 113120]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [4/29/2012 9:42 PM 20480]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/4/2008 9:11 PM 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/17/2008 11:22 AM 717296]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 15:15]
.
2012-07-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 17:24]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 17:24]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1844823847-725345543-1003Core.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-09 01:09]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1844823847-725345543-1003UA.job
- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-09 01:09]
.
2012-07-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Backup T non-archived to Office.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Beth's C Photos.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Beth's C Videos.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Beth's Documents.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Beth's Kodak Pics.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE C drive backup.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Shanie's Documents.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
2012-07-20 c:\windows\Tasks\SyncBackSE Steve's Images.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2007-03-16 22:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.5.10
DPF: {4CB3C837-368E-4258-BF8F-E12317BF8AD4} - hxxp://www.tfservicecenter.com/TONEUpgradeFiles/sysreqs.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\kzj0hcy9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{89867A4A-BDEE-4259-964A-B8E87C4892F3} - (no file)
BHO-{96CEA57F-AC68-4618-A1A2-DCF5428AF18B} - (no file)
WebBrowser-{D99F55AC-3BC6-45A9-95AC-AE07F0CDF943} - (no file)
WebBrowser-{EF91116F-DE92-4286-9087-093085152182} - (no file)
HKCU-Run-FolderShare - c:\program files\FolderShare\FolderShare.exe
SafeBoot-MsMpSvc
MSConfigStartUp-hsfyjvbo - c:\docume~1\Steve\LOCALS~1\Temp\fgioxdfqk\fgxvdouaffm.exe
MSConfigStartUp-xbxiwaaj - c:\docume~1\Steve\LOCALS~1\Temp\btwnxwtlh\fmakfdbaffm.exe
AddRemove-{10900ADA-A280-4fd4-ADC6-FC290B758283} - c:\program files\BreezeSys\BreezeBrowserPro\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-31 11:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
c:\windows\system32\FlashPlayerInstaller.exe 9821896 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPhk.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp1.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Retrospect\Retrospect 7.5\retrorun.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
c:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\MFT Signals\DesktopAlerts.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-07-31  11:20:06 - machine was rebooted
ComboFix-quarantined-files.txt  2012-07-31 15:19
.
Pre-Run: 10,975,215,616 bytes free
Post-Run: 13,478,612,992 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 65CAA1A8A4C172A0EC613CD12DC0AE90


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:53 PM

Posted 31 July 2012 - 04:28 PM

Hello,

Have you tried to do a system Restore to an earlier date before this all started happening?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Catul

Catul
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 August 2012 - 07:33 AM

I will try to restore to an earlier point and let you know the results in a couple of hours. I also think there's a chance the video flickering/flashing issue could be used by the Logmein software; is it ok to reinstall that as well? Thanks!

#8 Catul

Catul
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 August 2012 - 09:58 AM

Windows was unsuccessful in restoring, I tried two different System Restore points (the second time initiated it in Safe Mode). I've uninstalled the Logmein software but am still having the flashing to black/losing video issue - other than that, the PC seems ok. I could try to update the video driver (this is a Dell with an nVidia Quadro FX 550 video card); is that ok to do? What do you recommend I try next? Thanks!

#9 Catul

Catul
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 August 2012 - 03:41 PM

I've also noticed that this screen flashing to black seems to happen every 3-6 seconds while I'm using the computer (moving the mouse, etc.) but less frequently (maybe twice in a minute) when there is no activity at all; very strange! It's also not just a black screen, but also sometimes get the icons and other parts of the screen messed up, like the screen redraw didn't quite happen correctly.

I'd appreciate your thoughts on this, and what my next step should be - thanks very much.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:53 PM

Posted 01 August 2012 - 04:26 PM

Hello,

This could be a hardware or software issue. I would go ahead and update the drivers. I think this could also be a monitor problem. Do you have another monitor you can try and see if it still does it.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Catul

Catul
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 02 August 2012 - 02:25 PM

I reinstalled the nVidia driver and all is good! The PC seems fine now, no more Google redirects or other popups; Malwarebyte's AntiSpyware comes up clean. Are there any other scans I should do to make sure there are no remnants of anything?

Thanks so much for all your help, again it's much appreciated!

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:53 PM

Posted 02 August 2012 - 05:42 PM

Hello, Catul .
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

One of the most common questions found when cleaning malware is "how did my machine get infected?"

There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet, you are not running the proper security software or that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer to help reduce the chance of being infected again in the future.

Do not use P2P programs
Peer-to-peer or file-sharing programs (such as uTorrent, Limewire and Bitorrent) are probably the primary route of infection nowadays. These programs allow file sharing between users as the name(s) suggest. It is almost impossible to know whether the file you’re downloading through P2P programs is safe.

It is therefore possible to be infected by downloading infected files via peer-to-peer programs and so I recommend that you do not use these programs. Should you wish to use them, they must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

In addition, P2P programs facilitate cyber crime and help distribute pirated software, movies and other illegal material.

Practice Safe Internet
Another one of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.

Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know who is themselves infected with malware which is trying to infect everyone in their address book. A key thing to look out for here is: does the email sound as though it’s from the person you know? Often, the email may simply have a web link or a “Run this file to make your PC run fast” message in it.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop-ups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. Removal instructions for a lot of these "rogues" can be found here.
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you, or will download a file to your PC without your knowledge. You can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. DO NOT click on these windows, instead close them by finding the open window on your http://en.wikipedia.org/wiki/Taskbar#Screenshots '>Taskbar, right click and chose close.
  • Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.
  • Stay away from Warez and Crack sites! As with Peer-2-Peer programs, in addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download files from a site, and are not sure if they are legitimate, you can use tools such as BitDefender Traffic Light, Norton Safe Web, or McAfee SiteAdvisor to look up info on the site and stay protected against malicious sites. Please be sure to only choose and install one of those tool bars.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
    Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want - this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.

Keep Windows up-to-date
Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

  • Windows XP users
    You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.
  • Windows Vista users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.
  • Windows 7 users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here


Keep your browser secure
Most modern browsers have come on in leaps and bounds with their inbuilt, default security. The best way to keep your browser secure nowadays is simply to keep it up-to-date.

The latest versions of the three common browsers can be found below:

Use an AntiVirus Software
It is very important that your computer has an up-to-date anti-virus software on it which has a real-time agent running. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources, a couple of free Anti-Virus programs you may be interested in are Microsoft Security Essentials and Avast.

It is imperative that you update your Antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

All versions of Windows starting from XP have an in-built firewall. With Windows XP this firewall will protect you from incoming traffic (i.e. hackers). Starting with Windows Vista, the firewall was beefed up to also protect you against outgoing traffic (i.e. malicious programs installed on your machine should be blocked from sending data, such as your bank details and passwords, out).

In addition, if you connect to the internet via a router, this will normally have a firewall in-built.

Some people will recommend installing a different firewall (instead of the Windows’ built one), this is personal choice, but the message is to definitely have one! For a tutorial on Firewalls and a listing of some available ones see this link: Understanding and Using Firewalls

Install an Anti-Malware program
Recommended, and free, Anti-Malware programs are Malwarebytes Anti-Malware and SuperAntiSpyware.

You should regularly (perhaps once a week) scan your computer with an Anti-Malware program just as you would with an antivirus software.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is very important to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities (such as Adobe Reader and Java). You can check these by visiting Secunia Software Inspector.

Follow this list and your potential for being infected again will reduce dramatically.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:53 PM

Posted 04 August 2012 - 09:23 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users