Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • This topic is locked This topic is locked
31 replies to this topic

#1 TaxPro

TaxPro

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 26 November 2012 - 10:23 PM

This seems to be a very hot topic right now... looks like several new threads have opened up about this. But I am heeding the warnings that what is recommended for one user may not work for another.

My Google searches are getting redirected to something that appears to be "livesearchnow," but often goes to a numeric IP address. Happens in both FF and IE.

Here's the DDS text log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6000.17112 BrowserJavaVersion: 10.7.2
Run by kossbu at 22:13:00 on 2012-11-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1497 [GMT -5:00]
.
AV: BitDefender Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\BitDefender\BitDefender 2011\pchooklaunch32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Bitdefender Toolbar: {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - c:\program files\bitdefender\bitdefender 2011\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe] rundll32.exe "c:\documents and settings\kossbu\local settings\application data\logmein\adobe\kecbsj.dll",DllRegisterServerW
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2011\ieshow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2011\bdagent.exe"
dRun: [Adobe] rundll32.exe "c:\documents and settings\kossbu\local settings\application data\logmein\adobe\kecbsj.dll",DllRegisterServerW
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340531651984
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340531631453
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://76.200.196.89:85/WebClient.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://esource.ohiohealth.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=928
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{A1EC5310-D9B5-4C3E-BF7D-E9700B4DEF9D} : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kossbu\application data\mozilla\firefox\profiles\in8pm2dt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff2.dll
FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff3.6.dll
FF - component: c:\program files\bitdefender\bitdefender 2010\bdaphffext\components\bdaphff3.dll
FF - plugin: c:\documents and settings\kossbu\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\kossbu\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
FF - ExtSQL: 2012-11-04 12:25; FFToolbar@bitdefender.com; c:\program files\bitdefender\bitdefender 2011\bdaphffext
FF - ExtSQL: !HIDDEN! 2012-06-24 07:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2012-11-3 12960]
R1 Bdvedisk;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [2010-1-19 85128]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-21 399432]
R2 Updatesrv;BitDefender Desktop Update Service;c:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2011-3-24 43936]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-4-22 153440]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf.sys [2010-8-20 111696]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-23 676936]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-11-8 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-11-8 3072]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-23 22856]
S3 Update Server;BitDefender Update Server v2;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2010-11-30 307544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2010-11-29 535824]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2010-11-29 1066232]
S4 Freemake Improver;Freemake Improver;c:\documents and settings\all users\application data\freemake\freemakeutilsservice\FreemakeUtilsService.exe [2011-12-16 74752]
.
=============== Created Last 30 ================
.
2012-11-16 00:22:01 -------- d--h--r- C:\ESD
2012-11-11 19:57:03 -------- d--h--w- c:\documents and settings\all users\application data\CanonIJScan
2012-11-11 18:02:19 -------- d-----w- c:\documents and settings\all users\application data\CanonIJ
2012-11-11 18:01:04 -------- d--h--w- c:\documents and settings\all users\application data\CanonIJSolutionMenuEX
2012-11-11 18:00:50 -------- d-----w- c:\documents and settings\all users\application data\CanonIJPLM
2012-11-11 17:59:26 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2012-11-11 17:59:26 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-11-11 17:59:14 307200 ----a-w- c:\windows\system32\CNC280L.dll
2012-11-11 17:59:14 1335296 ----a-w- c:\windows\system32\CNC280C.dll
2012-11-11 17:59:14 114688 ----a-w- c:\windows\system32\CNC280I.dll
2012-11-11 17:59:13 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2012-11-11 17:59:13 106496 ----a-w- c:\windows\system32\CNC280U.dll
2012-11-11 17:59:12 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-11-11 17:59:12 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-11-11 17:58:15 -------- d-----w- c:\documents and settings\all users\application data\CanonIJMSetup
2012-11-11 17:58:09 -------- d-----w- c:\documents and settings\all users\application data\CanonIJWSpt
2012-11-11 17:57:07 73216 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPPAA.DLL
2012-11-11 17:57:07 290816 ----a-w- c:\windows\system32\CNMLMAA.DLL
2012-11-11 17:57:07 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPDAA.DLL
2012-11-11 17:56:59 94208 ----a-w- c:\windows\system32\CNC280O.dll
2012-11-11 17:56:57 180224 ----a-w- c:\windows\system32\CNMIUAA.DLL
2012-11-11 17:55:31 -------- d-----w- c:\program files\Canon
2012-11-04 04:22:09 -------- d-----w- c:\documents and settings\kossbu\local settings\application data\Jaksta_Technologies_Pty_L
2012-11-04 04:20:15 -------- d-----w- c:\program files\Applian Technologies
2012-11-04 04:19:45 -------- d-----w- c:\documents and settings\all users\application data\Applian
2012-11-04 02:02:03 -------- d-----w- c:\documents and settings\kossbu\application data\BitDefender
2012-11-04 01:57:27 -------- d-----w- c:\documents and settings\all users\application data\c75b0000-a4c5-4045-8f93-8c8539712595
2012-11-04 01:48:48 -------- d-----w- c:\documents and settings\kossbu\application data\QuickScan
2012-11-04 01:47:56 306320 ----a-w- c:\windows\system32\drivers\trufos.sys
2012-11-04 01:47:55 353096 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2012-11-04 01:47:55 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys
2012-11-04 01:47:54 177913 ----a-w- c:\documents and settings\all users\application data\bdinstall.bin
.
==================== Find3M ====================
.
2012-11-04 02:54:07 153440 ----a-w- c:\windows\system32\drivers\bdfm.sys
2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-22 02:53:29 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-22 02:53:28 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-22 02:43:42 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-22 02:43:39 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-22 02:43:38 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-05 22:25:56 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-10 19:33:38 240720 ----a-w- c:\program files\UpdateMgr.exe
2012-04-10 19:33:36 16531456 ----a-w- c:\program files\1040_FedCalc.dll
2012-04-10 19:33:36 1220608 ----a-w- c:\program files\1040_FedPrint.dll
2012-04-10 19:33:36 11058256 ----a-w- c:\program files\TaxACT11.exe
2012-04-03 13:23:04 3112960 ----a-w- c:\program files\1040_MIcalc.dll
2012-03-27 14:47:40 1884160 ----a-w- c:\program files\1040_IAcalc.dll
2012-03-13 19:34:36 1290240 ----a-w- c:\program files\1040_NJcalc.dll
2012-02-29 17:07:44 1118208 ----a-w- c:\program files\1040_OHcalc.dll
2012-02-29 13:45:40 3977216 ----a-w- c:\program files\1040_NYcalc.dll
2012-02-29 13:45:40 269736 ----a-w- c:\program files\UnStTax.exe
2012-02-29 13:45:40 152064 ----a-w- c:\program files\Unstate.exe
2012-02-08 15:18:04 1048576 ----a-w- c:\program files\1040_ILcalc.dll
2012-02-02 17:18:54 286848 ----a-w- c:\program files\Unta11.exe
2012-02-02 17:18:54 1802752 ----a-w- c:\program files\PDFText.dll
2012-02-02 17:18:54 152064 ----a-w- c:\program files\Unwise32.exe
2012-02-02 17:18:54 1455616 ----a-w- c:\program files\HTMLCapture.dll
2012-02-02 17:18:54 1404928 ----a-w- c:\program files\Dynapdf.dll
2012-02-02 17:18:54 126976 ----a-w- c:\program files\Taxpdf.dll
2012-01-25 18:50:56 1732608 ----a-w- c:\program files\1040_INcalc.dll
2010-07-08 14:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
2004-07-06 20:38:28 20208 ----a-w- c:\program files\sssocra.fon
.
============= FINISH: 22:14:19.54 ===============

And I am attaching the attach.txt file.

Any help will be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 PM

Posted 27 November 2012 - 07:50 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 27 November 2012 - 11:35 AM

Thanks your help!

The reports are below.

Searches are still getting redirected.

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
BitDefender Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Malwarebytes Anti-Malware version 1.65.1.1000
HijackThis 2.0.2
Java 7 Update 7
Java version out of Date!
Adobe Flash Player 11.4.402.278
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox 15.0.1 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Malwarebytes' Anti-Malware mbamscheduler.exe
BitDefender BitDefender 2011 vsserv.exe
BitDefender BitDefender 2011 updatesrv.exe
BitDefender BitDefender 2011 bdagent.exe
BitDefender BitDefender 2011 pchooklaunch32.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 26% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

# AdwCleaner v2.009 - Logfile created 11/27/2012 at 08:52:38
# Updated 24/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : kossbu - CBLLC-007
# Boot Mode : Normal
# Running from : C:\Documents and Settings\kossbu\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\kossbu\Application Data\Mozilla\Firefox\Profiles\in8pm2dt.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [728 octets] - [27/11/2012 08:52:38]

########## EOF - C:\AdwCleaner[S1].txt - [787 octets] ##########


RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : kossbu [Admin rights]
Mode : Remove -- Date : 11/27/2012 11:29:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3DE8)
SSDT[19] : NtAssignProcessToJobObject @ 0x805E1DE3 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E4868)
SSDT[25] : NtClose @ 0x8056F8D7 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6EAE)
SSDT[31] : NtConnectPort @ 0x80590C5B -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E57AE)
SSDT[37] : NtCreateFile @ 0x80573DFB -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E519C)
SSDT[41] : NtCreateKey @ 0x80578ABE -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E5E88)
SSDT[47] : NtCreateProcess @ 0x805B7BF5 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E4ABE)
SSDT[48] : NtCreateProcessEx @ 0x8058B7F4 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E4B74)
SSDT[50] : NtCreateSection @ 0x8056DB66 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E4D36)
SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3758)
SSDT[66] : NtDeviceIoControlFile @ 0x80588ABD -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E5FF8)
SSDT[68] : NtDuplicateObject @ 0x8057DDAF -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E9DCC)
SSDT[84] : NtFsControlFile @ 0x80582287 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E62B0)
SSDT[97] : NtLoadDriver @ 0x805B06F6 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E425E)
SSDT[105] : NtMakeTemporaryObject @ 0x805E0BF9 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6C86)
SSDT[116] : NtOpenFile @ 0x80579E8D -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E5076)
SSDT[122] : NtOpenProcess @ 0x8057BB80 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E9838)
SSDT[125] : NtOpenSection @ 0x8057B96A -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E4C2E)
SSDT[128] : NtOpenThread @ 0x80596A0F -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E9AD2)
SSDT[137] : NtProtectVirtualMemory @ 0x80582620 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3C6C)
SSDT[180] : NtQueueApcThread @ 0x8059A8E8 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E4990)
SSDT[193] : NtReplaceKey @ 0x806570B6 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6AD4)
SSDT[199] : NtRequestPort @ 0x805E6AD8 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E591C)
SSDT[200] : NtRequestWaitReplyPort @ 0x8057D89E -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E52CC)
SSDT[204] : NtRestoreKey @ 0x80656C4D -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6B5E)
SSDT[210] : NtSecureConnectPort @ 0x80587C11 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E5D18)
SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E38C8)
SSDT[237] : NtSetSecurityObject @ 0x8059EC29 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6A2E)
SSDT[240] : NtSetSystemInformation @ 0x805B2328 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E440A)
SSDT[249] : NtShutdownSystem @ 0x8064F19B -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6BF0)
SSDT[253] : NtSuspendProcess @ 0x80637B7B -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3B44)
SSDT[254] : NtSuspendThread @ 0x80637A97 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3A1E)
SSDT[255] : NtSystemDebugControl @ 0x80651981 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E479A)
SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E9730)
SSDT[258] : NtTerminateThread @ 0x80582DD9 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E9FBE)
SSDT[262] : NtUnloadDriver @ 0x80624BBC -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E6D1C)
SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E35DC)
S_SSDT[307] : NtUserAttachThreadInput -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E322E)
S_SSDT[322] : NtUserCallNoParam -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3436)
S_SSDT[323] : NtUserCallOneParam -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3388)
S_SSDT[347] : NtUserDdeSetQualityOfService -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3194)
S_SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E3130)
S_SSDT[414] : NtUserGetKeyboardState -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2FC2)
S_SSDT[416] : NtUserGetKeyState -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2F5E)
S_SSDT[460] : NtUserMessageCall -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2C68)
S_SSDT[475] : NtUserPostMessage -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2A6E)
S_SSDT[476] : NtUserPostThreadMessage -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2AEE)
S_SSDT[491] : NtUserRegisterRawInputDevices -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2CF0)
S_SSDT[502] : NtUserSendInput -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2A1C)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E20F8)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (\??\C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys @ 0xB77E2580)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST340014AS +++++
--- User ---
[MBR] bd1ce81401a6655c5db97c13b7123b6f
[BSP] b50ac547595fee16cf8ebc2a0c8c13c0 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 38164 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11272012_02d1129.txt >>
RKreport[1]_S_11272012_02d1128.txt ; RKreport[2]_D_11272012_02d1129.txt

Edited by TaxPro, 27 November 2012 - 11:40 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 PM

Posted 27 November 2012 - 06:18 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 27 November 2012 - 09:01 PM

I downloaded and ran ComboFix.

It did not produce the error about an illegal operation.

I got the blue command line screen, and it said it was scanning. Everything looked okay.

When the blue box disappeared, the computer did NOT reboot.

When I opened Firefox, I got a "page cannot be displayed" error. No internet connection.

I rebooted using the start menu. The internet connection is working now.

ComboFix does not appear to have produced a report. If it did, I don't know where to find it.

Searches are still getting redirected.

BMK

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 PM

Posted 28 November 2012 - 07:14 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2012 - 12:10 PM

I ran ComboFix in safe mode.

Seems to have done a lot more work than it did when running in regular boot mode before, and this time it did produce a log report, which I have pasted below.

Unfortunately, searches are still getting redirected.

Here's the log:

ComboFix 12-11-27.01 - kossbu 11/28/2012 11:44:58.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1784 [GMT -5:00]
Running from: c:\documents and settings\kossbu\Desktop\ComboFix.exe
AV: BitDefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\kossbu\Application Data\twext.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 )))))))))))))))))))))))))))))))
.
.
2012-11-27 05:12 . 2012-11-27 05:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\QuickScan
2012-11-16 00:22 . 2012-11-16 00:22 -------- d-----r- C:\ESD
2012-11-11 18:02 . 2012-11-11 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2012-11-11 18:02 . 2012-11-11 19:57 -------- d-----w- c:\documents and settings\kossbu\Application Data\Canon
2012-11-11 17:59 . 2008-04-14 05:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2012-11-11 17:59 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-11-11 17:59 . 2010-03-19 00:25 307200 ----a-w- c:\windows\system32\CNC280L.dll
2012-11-11 17:59 . 2010-03-18 22:12 1335296 ----a-w- c:\windows\system32\CNC280C.dll
2012-11-11 17:59 . 2010-03-18 22:12 114688 ----a-w- c:\windows\system32\CNC280I.dll
2012-11-11 17:59 . 2010-03-18 22:11 106496 ----a-w- c:\windows\system32\CNC280U.dll
2012-11-11 17:59 . 2008-08-25 23:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2012-11-11 17:59 . 2008-04-14 05:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-11-11 17:59 . 2008-04-14 05:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-11-11 17:57 . 2012-11-11 17:57 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2012-11-11 17:57 . 2010-08-25 10:00 73216 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPPAA.DLL
2012-11-11 17:57 . 2010-08-25 10:00 290816 ----a-w- c:\windows\system32\CNMLMAA.DLL
2012-11-11 17:57 . 2010-08-25 10:00 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPDAA.DLL
2012-11-11 17:57 . 2012-11-11 17:57 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2012-11-11 17:56 . 2010-01-13 14:03 94208 ----a-w- c:\windows\system32\CNC280O.dll
2012-11-11 17:56 . 2010-03-11 08:56 180224 ----a-w- c:\windows\system32\CNMIUAA.DLL
2012-11-11 17:55 . 2012-11-11 17:58 -------- d-----w- c:\program files\Canon
2012-11-04 04:22 . 2012-11-27 02:23 -------- d-----w- c:\documents and settings\kossbu\Local Settings\Application Data\Jaksta_Technologies_Pty_L
2012-11-04 04:20 . 2012-11-27 02:51 -------- d-----w- c:\program files\Applian Technologies
2012-11-04 04:19 . 2012-11-04 04:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Applian
2012-11-04 02:02 . 2012-11-04 02:02 -------- d-----w- c:\documents and settings\kossbu\Application Data\BitDefender
2012-11-04 01:57 . 2012-11-04 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\c75b0000-a4c5-4045-8f93-8c8539712595
2012-11-04 01:48 . 2012-11-04 01:48 -------- d-----w- c:\documents and settings\kossbu\Application Data\QuickScan
2012-11-04 01:47 . 2012-11-04 02:49 306320 ----a-w- c:\windows\system32\drivers\trufos.sys
2012-11-04 01:47 . 2011-03-24 19:36 353096 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2012-11-04 01:47 . 2010-05-13 21:02 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys
2012-11-04 01:47 . 2012-11-04 02:26 177913 ----a-w- c:\documents and settings\All Users\Application Data\bdinstall.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-04 02:54 . 2010-04-22 17:19 153440 ----a-w- c:\windows\system32\drivers\bdfm.sys
2012-09-30 00:54 . 2012-03-23 21:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-22 02:53 . 2012-04-04 08:48 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-22 02:53 . 2011-11-08 00:27 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-22 02:43 . 2012-09-22 02:44 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-22 02:43 . 2012-09-22 02:44 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-22 02:43 . 2011-11-08 02:35 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-05 22:25 . 2012-05-02 02:35 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-10 19:33 . 2012-02-07 20:53 240720 ----a-w- c:\program files\UpdateMgr.exe
2012-04-10 19:33 . 2012-02-07 20:53 1220608 ----a-w- c:\program files\1040_FedPrint.dll
2012-04-10 19:33 . 2012-02-07 20:53 11058256 ----a-w- c:\program files\TaxACT11.exe
2012-04-10 19:33 . 2012-02-07 20:53 16531456 ----a-w- c:\program files\1040_FedCalc.dll
2012-04-03 13:23 . 2012-02-22 23:42 3112960 ----a-w- c:\program files\1040_MIcalc.dll
2012-03-27 14:47 . 2012-02-22 23:43 1884160 ----a-w- c:\program files\1040_IAcalc.dll
2012-03-13 19:34 . 2012-04-10 17:05 1290240 ----a-w- c:\program files\1040_NJcalc.dll
2012-02-29 17:07 . 2012-02-07 20:58 1118208 ----a-w- c:\program files\1040_OHcalc.dll
2012-02-29 13:45 . 2012-10-13 19:40 3977216 ----a-w- c:\program files\1040_NYcalc.dll
2012-02-29 13:45 . 2012-02-07 20:58 269736 ----a-w- c:\program files\UnStTax.exe
2012-02-29 13:45 . 2012-02-07 20:58 152064 ----a-w- c:\program files\Unstate.exe
2012-02-08 15:18 . 2012-02-22 23:42 1048576 ----a-w- c:\program files\1040_ILcalc.dll
2012-02-02 17:18 . 2012-02-07 20:53 286848 ----a-w- c:\program files\Unta11.exe
2012-02-02 17:18 . 2012-02-07 20:53 152064 ----a-w- c:\program files\Unwise32.exe
2012-02-02 17:18 . 2012-02-07 20:53 1802752 ----a-w- c:\program files\PDFText.dll
2012-02-02 17:18 . 2012-02-07 20:53 1455616 ----a-w- c:\program files\HTMLCapture.dll
2012-02-02 17:18 . 2012-02-07 20:53 1404928 ----a-w- c:\program files\Dynapdf.dll
2012-02-02 17:18 . 2012-02-07 20:53 126976 ----a-w- c:\program files\Taxpdf.dll
2012-01-25 18:50 . 2012-04-10 16:03 1732608 ----a-w- c:\program files\1040_INcalc.dll
2010-07-08 14:37 . 2010-07-08 14:37 101544 ----a-w- c:\program files\Common Files\LinkInstaller.exe
2004-07-06 20:38 . 2012-02-07 20:53 20208 ----a-w- c:\program files\sssocra.fon
2012-09-06 01:27 . 2012-09-22 02:58 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-14 13537280]
"nwiz"="nwiz.exe" [2008-07-14 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-14 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2011\ieshow.exe" [2012-11-04 92352]
"BDAgent"="c:\program files\BitDefender\BitDefender 2011\bdagent.exe" [2012-11-04 1451928]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2010-04-02 15:18 1185112 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Freemake Improver"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
S1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [11/3/2012 8:47 PM 12960]
S1 Bdvedisk;BDVEDISK;c:\windows\system32\drivers\bdvedisk.sys [1/19/2010 6:32 PM 85128]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [11/21/2012 12:36 PM 399432]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/23/2012 4:50 PM 676936]
S2 Updatesrv;BitDefender Desktop Update Service;c:\program files\BitDefender\BitDefender 2011\updatesrv.exe [3/24/2011 6:46 PM 43936]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [4/22/2010 12:19 PM 153440]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\program files\Common Files\BitDefender\BitDefender Firewall\bdfndisf.sys [8/20/2010 2:41 PM 111696]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [11/8/2011 6:42 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [11/8/2011 6:42 PM 3072]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/23/2012 4:50 PM 22856]
S3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [11/30/2010 6:19 AM 307544]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [11/29/2010 1:12 PM 535824]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [11/29/2010 1:12 PM 1066232]
S4 Freemake Improver;Freemake Improver;c:\documents and settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [12/16/2011 10:49 PM 74752]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://76.200.196.89:85/WebClient.cab
FF - ProfilePath - c:\documents and settings\kossbu\Application Data\Mozilla\Firefox\Profiles\in8pm2dt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - ExtSQL: 2012-11-04 12:25; FFToolbar@bitdefender.com; c:\program files\BitDefender\BitDefender 2011\bdaphffext
FF - ExtSQL: !HIDDEN! 2012-06-24 07:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-28 11:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(232)
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-11-28 11:56:19
ComboFix-quarantined-files.txt 2012-11-28 16:56
.
Pre-Run: 1,851,076,608 bytes free
Post-Run: 5,507,076,096 bytes free
.
- - End Of File - - 31E259B3D84EB59227E5C99CA8B89551

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 PM

Posted 28 November 2012 - 09:29 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2012 - 09:45 PM

I ran TDSSKiller. No threats found. No reboot required. Here's the report:

21:42:11.0625 3648 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
21:42:12.0015 3648 ============================================================
21:42:12.0015 3648 Current date / time: 2012/11/28 21:42:12.0015
21:42:12.0015 3648 SystemInfo:
21:42:12.0015 3648
21:42:12.0015 3648 OS Version: 5.1.2600 ServicePack: 3.0
21:42:12.0015 3648 Product type: Workstation
21:42:12.0015 3648 ComputerName: CBLLC-007
21:42:12.0015 3648 UserName: kossbu
21:42:12.0015 3648 Windows directory: C:\WINDOWS
21:42:12.0015 3648 System windows directory: C:\WINDOWS
21:42:12.0015 3648 Processor architecture: Intel x86
21:42:12.0015 3648 Number of processors: 2
21:42:12.0015 3648 Page size: 0x1000
21:42:12.0015 3648 Boot type: Normal boot
21:42:12.0015 3648 ============================================================
21:42:13.0828 3648 Drive \Device\Harddisk0\DR0 - Size: 0x9516AE000 (37.27 Gb), SectorSize: 0x200, Cylinders: 0x1301, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:42:13.0828 3648 ============================================================
21:42:13.0828 3648 \Device\Harddisk0\DR0:
21:42:13.0828 3648 MBR partitions:
21:42:13.0828 3648 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x4A8A000
21:42:13.0828 3648 ============================================================
21:42:13.0859 3648 C: <-> \Device\Harddisk0\DR0\Partition1
21:42:13.0875 3648 ============================================================
21:42:13.0875 3648 Initialize success
21:42:13.0875 3648 ============================================================
21:42:19.0531 2344 ============================================================
21:42:19.0531 2344 Scan started
21:42:19.0531 2344 Mode: Manual;
21:42:19.0531 2344 ============================================================
21:42:19.0921 2344 ================ Scan system memory ========================
21:42:19.0921 2344 System memory - ok
21:42:19.0921 2344 ================ Scan services =============================
21:42:20.0140 2344 Abiosdsk - ok
21:42:20.0156 2344 abp480n5 - ok
21:42:20.0218 2344 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:42:20.0218 2344 ACPI - ok
21:42:20.0250 2344 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
21:42:20.0265 2344 ACPIEC - ok
21:42:20.0265 2344 adpu160m - ok
21:42:20.0296 2344 [ 3CB6AE5435987B1F8C83FD2730479878 ] aeaudio C:\WINDOWS\system32\drivers\aeaudio.sys
21:42:20.0296 2344 aeaudio - ok
21:42:20.0343 2344 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
21:42:20.0343 2344 aec - ok
21:42:20.0421 2344 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
21:42:20.0421 2344 AFD - ok
21:42:20.0421 2344 Aha154x - ok
21:42:20.0437 2344 aic78u2 - ok
21:42:20.0437 2344 aic78xx - ok
21:42:20.0500 2344 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
21:42:20.0500 2344 Alerter - ok
21:42:20.0515 2344 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
21:42:20.0531 2344 ALG - ok
21:42:20.0531 2344 AliIde - ok
21:42:20.0531 2344 amsint - ok
21:42:20.0562 2344 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
21:42:20.0562 2344 AppMgmt - ok
21:42:20.0578 2344 asc - ok
21:42:20.0578 2344 asc3350p - ok
21:42:20.0593 2344 asc3550 - ok
21:42:20.0750 2344 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
21:42:20.0781 2344 aspnet_state - ok
21:42:20.0812 2344 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:42:20.0812 2344 AsyncMac - ok
21:42:20.0843 2344 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
21:42:20.0843 2344 atapi - ok
21:42:20.0843 2344 Atdisk - ok
21:42:20.0875 2344 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:42:20.0875 2344 Atmarpc - ok
21:42:20.0906 2344 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
21:42:20.0921 2344 AudioSrv - ok
21:42:20.0968 2344 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
21:42:20.0968 2344 audstub - ok
21:42:21.0093 2344 [ A16DF078CC2927005581054A3FDDE00F ] avc3 C:\WINDOWS\system32\drivers\avc3.sys
21:42:21.0093 2344 avc3 - ok
21:42:21.0187 2344 [ 3DBFCDB49D7520A7425E59A143B8856B ] avckf C:\WINDOWS\system32\drivers\avckf.sys
21:42:21.0218 2344 avckf - ok
21:42:21.0234 2344 [ EA377A8E8E1000877210259750CBBF5F ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:42:21.0234 2344 b57w2k - ok
21:42:21.0296 2344 [ 5AA1B6041D4B8587F5B914AE404B60C7 ] bdfm C:\WINDOWS\system32\DRIVERS\bdfm.sys
21:42:21.0296 2344 bdfm - ok
21:42:21.0484 2344 [ 3B3AD83054C650CF7CDEB0D5ECBD54E1 ] Bdfndisf C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdfndisf.sys
21:42:21.0484 2344 Bdfndisf - ok
21:42:21.0546 2344 [ C3E025D46368E3D18085EEF26EF6F6A1 ] bdfsfltr C:\WINDOWS\system32\DRIVERS\bdfsfltr.sys
21:42:21.0546 2344 bdfsfltr - ok
21:42:21.0640 2344 [ C23A8547D5EA6D0C3589961BFB7FF6D3 ] Bdftdif C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
21:42:21.0640 2344 Bdftdif - ok
21:42:21.0687 2344 [ D077F523538C9FB83B3C3FAE13861579 ] BdRawPr C:\WINDOWS\system32\DRIVERS\bdrawpr.sys
21:42:21.0687 2344 BdRawPr - ok
21:42:21.0843 2344 [ 2DAA9E807C11B4677CAFC1E43A98F8CE ] bdselfpr C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys
21:42:21.0843 2344 bdselfpr - ok
21:42:21.0890 2344 [ 375CD0B9F433465EC6F50D4DF44E9448 ] Bdvedisk C:\WINDOWS\system32\DRIVERS\bdvedisk.sys
21:42:21.0890 2344 Bdvedisk - ok
21:42:21.0921 2344 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
21:42:21.0937 2344 Beep - ok
21:42:21.0984 2344 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
21:42:22.0000 2344 BITS - ok
21:42:22.0046 2344 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
21:42:22.0046 2344 Browser - ok
21:42:22.0203 2344 catchme - ok
21:42:22.0234 2344 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
21:42:22.0234 2344 cbidf2k - ok
21:42:22.0234 2344 cd20xrnt - ok
21:42:22.0265 2344 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
21:42:22.0281 2344 Cdaudio - ok
21:42:22.0328 2344 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
21:42:22.0328 2344 Cdfs - ok
21:42:22.0343 2344 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:42:22.0343 2344 Cdrom - ok
21:42:22.0359 2344 Changer - ok
21:42:22.0437 2344 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
21:42:22.0437 2344 CiSvc - ok
21:42:22.0484 2344 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
21:42:22.0484 2344 ClipSrv - ok
21:42:22.0578 2344 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:42:22.0593 2344 clr_optimization_v2.0.50727_32 - ok
21:42:22.0640 2344 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:42:22.0843 2344 clr_optimization_v4.0.30319_32 - ok
21:42:22.0859 2344 CmdIde - ok
21:42:22.0859 2344 COMSysApp - ok
21:42:22.0890 2344 Cpqarray - ok
21:42:22.0937 2344 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
21:42:22.0937 2344 CryptSvc - ok
21:42:22.0953 2344 dac2w2k - ok
21:42:22.0953 2344 dac960nt - ok
21:42:23.0031 2344 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
21:42:23.0046 2344 DcomLaunch - ok
21:42:23.0093 2344 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
21:42:23.0093 2344 Dhcp - ok
21:42:23.0156 2344 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
21:42:23.0171 2344 Disk - ok
21:42:23.0171 2344 dmadmin - ok
21:42:23.0234 2344 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
21:42:23.0250 2344 dmboot - ok
21:42:23.0281 2344 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
21:42:23.0296 2344 dmio - ok
21:42:23.0296 2344 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
21:42:23.0312 2344 dmload - ok
21:42:23.0359 2344 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
21:42:23.0359 2344 dmserver - ok
21:42:23.0375 2344 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
21:42:23.0375 2344 DMusic - ok
21:42:23.0421 2344 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
21:42:23.0421 2344 Dnscache - ok
21:42:23.0468 2344 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
21:42:23.0468 2344 Dot3svc - ok
21:42:23.0484 2344 dpti2o - ok
21:42:23.0515 2344 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
21:42:23.0515 2344 drmkaud - ok
21:42:23.0562 2344 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
21:42:23.0562 2344 EapHost - ok
21:42:23.0593 2344 [ 57CC1BF06C159DFBB989F5783C0E6A50 ] epmntdrv C:\WINDOWS\system32\epmntdrv.sys
21:42:23.0593 2344 epmntdrv - ok
21:42:23.0640 2344 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
21:42:23.0640 2344 ERSvc - ok
21:42:23.0671 2344 [ 5F779F5EDAB787F2D090C71A9051F365 ] EuGdiDrv C:\WINDOWS\system32\EuGdiDrv.sys
21:42:23.0671 2344 EuGdiDrv - ok
21:42:23.0718 2344 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
21:42:23.0718 2344 Eventlog - ok
21:42:23.0750 2344 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
21:42:23.0750 2344 EventSystem - ok
21:42:23.0796 2344 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
21:42:23.0812 2344 Fastfat - ok
21:42:23.0859 2344 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
21:42:23.0859 2344 FastUserSwitchingCompatibility - ok
21:42:23.0875 2344 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
21:42:23.0875 2344 Fdc - ok
21:42:23.0921 2344 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
21:42:23.0921 2344 Fips - ok
21:42:23.0968 2344 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:42:23.0984 2344 Flpydisk - ok
21:42:24.0000 2344 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:42:24.0015 2344 FltMgr - ok
21:42:24.0078 2344 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:42:24.0078 2344 FontCache3.0.0.0 - ok
21:42:24.0203 2344 [ 37C2FF67A2565286F1C1C1072BE74678 ] Freemake Improver C:\Documents and Settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe
21:42:24.0203 2344 Freemake Improver - ok
21:42:24.0250 2344 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:42:24.0250 2344 Fs_Rec - ok
21:42:24.0281 2344 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:42:24.0296 2344 Ftdisk - ok
21:42:24.0328 2344 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:42:24.0328 2344 Gpc - ok
21:42:24.0421 2344 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:42:24.0421 2344 helpsvc - ok
21:42:24.0468 2344 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
21:42:24.0468 2344 HidServ - ok
21:42:24.0515 2344 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:42:24.0515 2344 hidusb - ok
21:42:24.0546 2344 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
21:42:24.0546 2344 hkmsvc - ok
21:42:24.0562 2344 hpn - ok
21:42:24.0625 2344 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
21:42:24.0640 2344 HTTP - ok
21:42:24.0687 2344 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
21:42:24.0687 2344 HTTPFilter - ok
21:42:24.0703 2344 i2omgmt - ok
21:42:24.0703 2344 i2omp - ok
21:42:24.0750 2344 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:42:24.0765 2344 i8042prt - ok
21:42:24.0828 2344 [ 9A883C3C4D91292C0D09DE7C728E781C ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:42:24.0875 2344 ialm - ok
21:42:24.0984 2344 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:42:25.0015 2344 idsvc - ok
21:42:25.0156 2344 [ AD5DF6F4FBBC798636EDC66BFEC7D0DE ] IJPLMSVC C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
21:42:25.0156 2344 IJPLMSVC - ok
21:42:25.0171 2344 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
21:42:25.0171 2344 Imapi - ok
21:42:25.0250 2344 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
21:42:25.0250 2344 ImapiService - ok
21:42:25.0265 2344 ini910u - ok
21:42:25.0312 2344 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
21:42:25.0312 2344 IntelIde - ok
21:42:25.0328 2344 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:42:25.0328 2344 intelppm - ok
21:42:25.0359 2344 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:42:25.0359 2344 Ip6Fw - ok
21:42:25.0390 2344 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:42:25.0390 2344 IpFilterDriver - ok
21:42:25.0421 2344 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:42:25.0421 2344 IpInIp - ok
21:42:25.0468 2344 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:42:25.0468 2344 IpNat - ok
21:42:25.0484 2344 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:42:25.0484 2344 IPSec - ok
21:42:25.0515 2344 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
21:42:25.0515 2344 IRENUM - ok
21:42:25.0546 2344 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:42:25.0546 2344 isapnp - ok
21:42:25.0687 2344 [ A12175F063302CD68F8FC6D572D7E5FD ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
21:42:25.0687 2344 JavaQuickStarterService - ok
21:42:25.0703 2344 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:42:25.0703 2344 Kbdclass - ok
21:42:25.0734 2344 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:42:25.0734 2344 kbdhid - ok
21:42:25.0765 2344 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
21:42:25.0765 2344 kmixer - ok
21:42:25.0812 2344 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
21:42:25.0812 2344 KSecDD - ok
21:42:25.0859 2344 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] LanmanServer C:\WINDOWS\System32\srvsvc.dll
21:42:25.0859 2344 LanmanServer - ok
21:42:25.0921 2344 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
21:42:25.0921 2344 lanmanworkstation - ok
21:42:25.0937 2344 lbrtfdc - ok
21:42:25.0984 2344 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
21:42:25.0984 2344 LmHosts - ok
21:42:26.0046 2344 [ 500D089CE760D83DA2B6CBA681AA9949 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
21:42:26.0046 2344 MBAMProtector - ok
21:42:26.0140 2344 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
21:42:26.0140 2344 MBAMScheduler - ok
21:42:26.0203 2344 [ 20E2469DB709FC675E655CEAA11BE312 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
21:42:26.0234 2344 MBAMService - ok
21:42:26.0281 2344 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
21:42:26.0281 2344 Messenger - ok
21:42:26.0343 2344 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
21:42:26.0343 2344 mnmdd - ok
21:42:26.0406 2344 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
21:42:26.0406 2344 mnmsrvc - ok
21:42:26.0437 2344 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
21:42:26.0437 2344 Modem - ok
21:42:26.0468 2344 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:42:26.0468 2344 Mouclass - ok
21:42:26.0515 2344 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:42:26.0515 2344 mouhid - ok
21:42:26.0562 2344 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
21:42:26.0562 2344 MountMgr - ok
21:42:26.0578 2344 mraid35x - ok
21:42:26.0578 2344 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:42:26.0593 2344 MRxDAV - ok
21:42:26.0656 2344 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:42:26.0656 2344 MRxSmb - ok
21:42:26.0703 2344 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
21:42:26.0703 2344 MSDTC - ok
21:42:26.0734 2344 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
21:42:26.0734 2344 Msfs - ok
21:42:26.0750 2344 MSIServer - ok
21:42:26.0781 2344 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:42:26.0781 2344 MSKSSRV - ok
21:42:26.0781 2344 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:42:26.0796 2344 MSPCLOCK - ok
21:42:26.0812 2344 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
21:42:26.0812 2344 MSPQM - ok
21:42:26.0843 2344 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:42:26.0843 2344 mssmbios - ok
21:42:26.0906 2344 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
21:42:26.0906 2344 Mup - ok
21:42:26.0968 2344 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
21:42:27.0000 2344 napagent - ok
21:42:27.0046 2344 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
21:42:27.0046 2344 NDIS - ok
21:42:27.0109 2344 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:42:27.0109 2344 NdisTapi - ok
21:42:27.0125 2344 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:42:27.0125 2344 Ndisuio - ok
21:42:27.0140 2344 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:42:27.0140 2344 NdisWan - ok
21:42:27.0203 2344 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
21:42:27.0203 2344 NDProxy - ok
21:42:27.0218 2344 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
21:42:27.0218 2344 NetBIOS - ok
21:42:27.0234 2344 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
21:42:27.0250 2344 NetBT - ok
21:42:27.0296 2344 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
21:42:27.0296 2344 NetDDE - ok
21:42:27.0312 2344 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
21:42:27.0312 2344 NetDDEdsdm - ok
21:42:27.0375 2344 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
21:42:27.0375 2344 Netlogon - ok
21:42:27.0406 2344 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
21:42:27.0406 2344 Netman - ok
21:42:27.0484 2344 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:42:27.0484 2344 NetTcpPortSharing - ok
21:42:27.0515 2344 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
21:42:27.0515 2344 Nla - ok
21:42:27.0609 2344 [ 7AEA4DF1CA68FD45DD4BBE1F0243CE7F ] NMSAccess C:\Program Files\CDBurnerXP\NMSAccessU.exe
21:42:27.0609 2344 NMSAccess - ok
21:42:27.0656 2344 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
21:42:27.0656 2344 Npfs - ok
21:42:27.0718 2344 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
21:42:27.0765 2344 Ntfs - ok
21:42:27.0781 2344 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
21:42:27.0781 2344 NtLmSsp - ok
21:42:27.0828 2344 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
21:42:27.0843 2344 NtmsSvc - ok
21:42:27.0890 2344 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
21:42:27.0890 2344 Null - ok
21:42:28.0171 2344 [ 1F718456C012387138C85CA58E8BF133 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:42:28.0281 2344 nv - ok
21:42:28.0328 2344 [ FDE61779FC016B0E2CF2248397FE2B0F ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
21:42:28.0328 2344 NVSvc - ok
21:42:28.0359 2344 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:42:28.0359 2344 NwlnkFlt - ok
21:42:28.0390 2344 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:42:28.0390 2344 NwlnkFwd - ok
21:42:28.0484 2344 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:42:28.0484 2344 ose - ok
21:42:28.0531 2344 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
21:42:28.0546 2344 Parport - ok
21:42:28.0593 2344 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
21:42:28.0593 2344 PartMgr - ok
21:42:28.0609 2344 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
21:42:28.0625 2344 ParVdm - ok
21:42:28.0625 2344 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
21:42:28.0625 2344 PCI - ok
21:42:28.0640 2344 PCIDump - ok
21:42:28.0640 2344 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
21:42:28.0656 2344 PCIIde - ok
21:42:28.0671 2344 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
21:42:28.0671 2344 Pcmcia - ok
21:42:28.0687 2344 PDCOMP - ok
21:42:28.0687 2344 PDFRAME - ok
21:42:28.0703 2344 PDRELI - ok
21:42:28.0718 2344 PDRFRAME - ok
21:42:28.0734 2344 perc2 - ok
21:42:28.0750 2344 perc2hib - ok
21:42:28.0828 2344 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
21:42:28.0828 2344 PlugPlay - ok
21:42:28.0843 2344 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
21:42:28.0843 2344 PolicyAgent - ok
21:42:28.0890 2344 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:42:28.0890 2344 PptpMiniport - ok
21:42:28.0906 2344 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
21:42:28.0906 2344 ProtectedStorage - ok
21:42:28.0968 2344 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
21:42:28.0968 2344 PSched - ok
21:42:28.0984 2344 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:42:28.0984 2344 Ptilink - ok
21:42:28.0984 2344 ql1080 - ok
21:42:29.0000 2344 Ql10wnt - ok
21:42:29.0000 2344 ql12160 - ok
21:42:29.0031 2344 ql1240 - ok
21:42:29.0046 2344 ql1280 - ok
21:42:29.0078 2344 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:42:29.0093 2344 RasAcd - ok
21:42:29.0125 2344 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
21:42:29.0125 2344 RasAuto - ok
21:42:29.0156 2344 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:42:29.0156 2344 Rasl2tp - ok
21:42:29.0171 2344 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
21:42:29.0187 2344 RasMan - ok
21:42:29.0187 2344 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:42:29.0187 2344 RasPppoe - ok
21:42:29.0203 2344 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
21:42:29.0203 2344 Raspti - ok
21:42:29.0234 2344 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:42:29.0234 2344 Rdbss - ok
21:42:29.0250 2344 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:42:29.0250 2344 RDPCDD - ok
21:42:29.0281 2344 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:42:29.0281 2344 rdpdr - ok
21:42:29.0328 2344 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
21:42:29.0343 2344 RDPWD - ok
21:42:29.0406 2344 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
21:42:29.0406 2344 RDSessMgr - ok
21:42:29.0453 2344 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
21:42:29.0453 2344 redbook - ok
21:42:29.0515 2344 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
21:42:29.0515 2344 RemoteAccess - ok
21:42:29.0546 2344 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
21:42:29.0562 2344 RemoteRegistry - ok
21:42:29.0609 2344 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
21:42:29.0609 2344 RpcLocator - ok
21:42:29.0640 2344 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
21:42:29.0656 2344 RpcSs - ok
21:42:29.0687 2344 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
21:42:29.0687 2344 RSVP - ok
21:42:29.0718 2344 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
21:42:29.0718 2344 SamSs - ok
21:42:29.0765 2344 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
21:42:29.0781 2344 SCardSvr - ok
21:42:29.0812 2344 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
21:42:29.0828 2344 Schedule - ok
21:42:29.0859 2344 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:42:29.0859 2344 Secdrv - ok
21:42:29.0906 2344 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
21:42:29.0906 2344 seclogon - ok
21:42:29.0921 2344 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
21:42:29.0921 2344 SENS - ok
21:42:29.0953 2344 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
21:42:29.0953 2344 serenum - ok
21:42:29.0953 2344 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
21:42:29.0968 2344 Serial - ok
21:42:30.0046 2344 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
21:42:30.0109 2344 Sfloppy - ok
21:42:30.0156 2344 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
21:42:30.0171 2344 SharedAccess - ok
21:42:30.0203 2344 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
21:42:30.0203 2344 ShellHWDetection - ok
21:42:30.0218 2344 Simbad - ok
21:42:30.0312 2344 [ 86D17B6760DD2B09E932FF101714E0DC ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
21:42:30.0343 2344 smwdm - ok
21:42:30.0437 2344 [ 3978F082274F723AD5A0A8058C2417DD ] SoundMAX Agent Service (default) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
21:42:30.0437 2344 SoundMAX Agent Service (default) - ok
21:42:30.0437 2344 Sparrow - ok
21:42:30.0484 2344 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
21:42:30.0484 2344 splitter - ok
21:42:30.0546 2344 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
21:42:30.0546 2344 Spooler - ok
21:42:30.0593 2344 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
21:42:30.0593 2344 sr - ok
21:42:30.0656 2344 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
21:42:30.0656 2344 srservice - ok
21:42:30.0734 2344 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
21:42:30.0734 2344 Srv - ok
21:42:30.0765 2344 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
21:42:30.0765 2344 SSDPSRV - ok
21:42:30.0796 2344 [ E57B778208C783D8DEBAB320C16A1B82 ] StarOpen C:\WINDOWS\system32\drivers\StarOpen.sys
21:42:30.0796 2344 StarOpen - ok
21:42:30.0843 2344 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
21:42:30.0859 2344 stisvc - ok
21:42:30.0906 2344 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
21:42:30.0906 2344 swenum - ok
21:42:30.0953 2344 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
21:42:30.0953 2344 swmidi - ok
21:42:30.0968 2344 SwPrv - ok
21:42:30.0968 2344 symc810 - ok
21:42:30.0984 2344 symc8xx - ok
21:42:31.0000 2344 sym_hi - ok
21:42:31.0015 2344 sym_u3 - ok
21:42:31.0046 2344 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
21:42:31.0062 2344 sysaudio - ok
21:42:31.0109 2344 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
21:42:31.0109 2344 SysmonLog - ok
21:42:31.0171 2344 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
21:42:31.0171 2344 TapiSrv - ok
21:42:31.0234 2344 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:42:31.0250 2344 Tcpip - ok
21:42:31.0281 2344 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
21:42:31.0281 2344 TDPIPE - ok
21:42:31.0312 2344 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
21:42:31.0312 2344 TDTCP - ok
21:42:31.0343 2344 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
21:42:31.0343 2344 TermDD - ok
21:42:31.0421 2344 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
21:42:31.0437 2344 TermService - ok
21:42:31.0453 2344 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
21:42:31.0453 2344 Themes - ok
21:42:31.0484 2344 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
21:42:31.0484 2344 TlntSvr - ok
21:42:31.0484 2344 TosIde - ok
21:42:31.0546 2344 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
21:42:31.0546 2344 TrkWks - ok
21:42:31.0593 2344 [ ACEB4F4F83B895E15C8C1A2F55009783 ] truecrypt C:\WINDOWS\system32\drivers\truecrypt.sys
21:42:31.0593 2344 truecrypt - ok
21:42:31.0640 2344 [ A919775C03303D0E0690B315D26A5E1D ] Trufos C:\WINDOWS\system32\DRIVERS\Trufos.sys
21:42:31.0656 2344 Trufos - ok
21:42:31.0687 2344 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
21:42:31.0703 2344 Udfs - ok
21:42:31.0703 2344 ultra - ok
21:42:31.0750 2344 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
21:42:31.0765 2344 Update - ok
21:42:31.0843 2344 [ 97AF0BFAC3AB8343E37E19C551E7D9FA ] Update Server C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
21:42:31.0843 2344 Update Server - ok
21:42:31.0906 2344 [ 170CA3CFF192F21062776DEF52047FC4 ] Updatesrv C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe
21:42:31.0906 2344 Updatesrv - ok
21:42:31.0953 2344 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
21:42:31.0968 2344 upnphost - ok
21:42:32.0000 2344 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
21:42:32.0000 2344 UPS - ok
21:42:32.0046 2344 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:42:32.0046 2344 usbccgp - ok
21:42:32.0093 2344 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:42:32.0093 2344 usbehci - ok
21:42:32.0109 2344 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:42:32.0109 2344 usbhub - ok
21:42:32.0171 2344 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:42:32.0171 2344 usbprint - ok
21:42:32.0218 2344 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:42:32.0218 2344 usbscan - ok
21:42:32.0265 2344 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:42:32.0265 2344 USBSTOR - ok
21:42:32.0281 2344 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:42:32.0281 2344 usbuhci - ok
21:42:32.0296 2344 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
21:42:32.0296 2344 VgaSave - ok
21:42:32.0312 2344 ViaIde - ok
21:42:32.0359 2344 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
21:42:32.0359 2344 VolSnap - ok
21:42:32.0390 2344 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
21:42:32.0406 2344 VSS - ok
21:42:32.0421 2344 VSSERV - ok
21:42:32.0468 2344 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
21:42:32.0468 2344 W32Time - ok
21:42:32.0484 2344 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:42:32.0484 2344 Wanarp - ok
21:42:32.0546 2344 [ BBCFEAB7E871CDDAC2D397EE7FA91FDC ] Wdf01000 C:\WINDOWS\system32\Drivers\wdf01000.sys
21:42:32.0562 2344 Wdf01000 - ok
21:42:32.0562 2344 WDICA - ok
21:42:32.0625 2344 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
21:42:32.0625 2344 wdmaud - ok
21:42:32.0687 2344 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
21:42:32.0687 2344 WebClient - ok
21:42:32.0781 2344 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
21:42:32.0781 2344 winmgmt - ok
21:42:32.0843 2344 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
21:42:32.0859 2344 WmdmPmSN - ok
21:42:32.0906 2344 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
21:42:32.0921 2344 Wmi - ok
21:42:32.0968 2344 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:42:32.0968 2344 WmiAcpi - ok
21:42:33.0015 2344 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:42:33.0015 2344 WmiApSrv - ok
21:42:33.0328 2344 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
21:42:33.0500 2344 WPFFontCache_v0400 - ok
21:42:33.0546 2344 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:42:33.0546 2344 WS2IFSL - ok
21:42:33.0578 2344 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
21:42:33.0593 2344 wscsvc - ok
21:42:33.0640 2344 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
21:42:33.0640 2344 wuauserv - ok
21:42:33.0687 2344 [ 6FF66513D372D479EF1810223C8D20CE ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:42:33.0687 2344 WudfPf - ok
21:42:33.0703 2344 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:42:33.0703 2344 WudfRd - ok
21:42:33.0750 2344 [ 575A4190D989F64732119E4114045A4F ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
21:42:33.0750 2344 WudfSvc - ok
21:42:33.0781 2344 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
21:42:33.0812 2344 WZCSVC - ok
21:42:33.0859 2344 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
21:42:33.0875 2344 xmlprov - ok
21:42:33.0875 2344 ================ Scan global ===============================
21:42:33.0921 2344 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
21:42:33.0984 2344 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
21:42:34.0000 2344 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
21:42:34.0015 2344 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
21:42:34.0015 2344 [Global] - ok
21:42:34.0015 2344 ================ Scan MBR ==================================
21:42:34.0046 2344 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
21:42:34.0218 2344 \Device\Harddisk0\DR0 - ok
21:42:34.0218 2344 ================ Scan VBR ==================================
21:42:34.0218 2344 [ 1DA2211EB7AC38E433DEAF12B2D17489 ] \Device\Harddisk0\DR0\Partition1
21:42:34.0218 2344 \Device\Harddisk0\DR0\Partition1 - ok
21:42:34.0218 2344 ============================================================
21:42:34.0218 2344 Scan finished
21:42:34.0218 2344 ============================================================
21:42:34.0250 1420 Detected object count: 0
21:42:34.0250 1420 Actual detected object count: 0

Moving on to aswMBR...

Thanks for your help with this

BMK

#10 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2012 - 10:09 PM

Here's the log from aswMBR.

The file it identified as "infected" is a file that I renamed a couple days ago, in my early efforts to resolve this on my own. I think the original extension was .dll.

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-28 21:44:51
-----------------------------
21:44:51.234 OS Version: Windows 5.1.2600 Service Pack 3
21:44:51.234 Number of processors: 2 586 0x409
21:44:51.234 ComputerName: CBLLC-007 UserName: kossbu
21:44:52.296 Initialize success
21:56:10.937 AVAST engine defs: 12112801
21:56:50.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
21:56:50.765 Disk 0 Vendor: ST340014AS 3.43 Size: 38166MB BusType: 3
21:56:50.781 Disk 0 MBR read successfully
21:56:50.781 Disk 0 MBR scan
21:56:50.828 Disk 0 Windows 7 default MBR code
21:56:50.843 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38164 MB offset 2048
21:56:50.984 Disk 0 scanning sectors +78161920
21:56:51.046 Disk 0 scanning C:\WINDOWS\system32\drivers
21:57:00.875 Service scanning
21:57:28.921 Modules scanning
21:57:41.562 Disk 0 trace - called modules:
21:57:41.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:57:41.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b8fab8]
21:57:41.593 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000067[0x89b929e8]
21:57:41.593 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x89bd0940]
21:57:41.859 AVAST engine scan C:\WINDOWS
21:57:54.140 AVAST engine scan C:\WINDOWS\system32
22:01:17.343 AVAST engine scan C:\WINDOWS\system32\drivers
22:01:30.203 AVAST engine scan C:\Documents and Settings\kossbu
22:03:06.406 File: C:\Documents and Settings\kossbu\Local Settings\Application Data\LogMeIn\Adobe\bleepthis.txt **INFECTED** Win32:Tracur-JH [Trj]
22:04:14.703 AVAST engine scan C:\Documents and Settings\All Users
22:04:33.312 Scan finished successfully
22:04:42.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kossbu\Desktop\MBR.dat"
22:04:42.781 The log file has been saved successfully to "C:\Documents and Settings\kossbu\Desktop\aswMBR.txt"

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 PM

Posted 28 November 2012 - 10:18 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2012 - 10:28 PM

Still getting intermittent redirects :(

BMK

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 PM

Posted 28 November 2012 - 10:31 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 28 November 2012 - 11:34 PM

Running OTL right now...

But it may be fixed. I'm keeping my fingers crossed.

While waiting for your last response, I decided to run the ESET online scan. I set it to scan only--not to fix anything.

And it was taking a loooong time. I have some large files on this computer that I know are clean. For example, I have an .iso for the installation of Windows 8 Pro, and I have an image file taken from an external hard drive, using GetDataBack, that is 9 GB. The ESET scanner was going to take hours. But after about 30%, it identified three files that looked like they might be responsible for this issue. I stopped the scan, and pulled a log:

C:\Documents and Settings\kossbu\Application Data\Mozilla\Firefox\Profiles\in8pm2dt.default\extensions\nffrtbuica@nffrtbuica.org.xpi JS/Redirector.NCI trojan
C:\Documents and Settings\kossbu\Application Data\Sun\Java\Deployment\cache\6.0\43\5ea608ab-6401ca36 a variant of Java/Exploit.CVE-2012-0507.DP trojan
C:\Documents and Settings\kossbu\Application Data\Sun\Java\Deployment\cache\6.0\59\47363e7b-5cb56e49 a variant of Java/JShrink.A application

The first one was the most suspicious-looking. It had a file modification date way back in 2008. But I got this PC a little over a year ago. I know that sometimes files can have dates that are earlier than the PC activation date, but that didn't make sense for a file in the Firefox profile, because Firefox is not an OEM product...

Using cut-and-paste, I manually moved all three files into a Truecrypt container, which I then unmounted.

And the problem seems to have gone away... even after rebooting. Tested Google searches in FF and IE, and they are not getting redirected.

Here's the OTL log. Maybe there's stuff left behind in the registry or something...

OTL logfile created on: 11/28/2012 11:15:09 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\kossbu\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.29 Gb Available Physical Memory | 64.67% Memory free
2.59 Gb Paging File | 2.00 Gb Available in Paging File | 77.29% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 4.86 Gb Free Space | 13.05% Space Free | Partition Type: NTFS

Computer Name: CBLLC-007 | User Name: kossbu | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\kossbu\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe (BitDefender S.R.L.)
PRC - C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe (BitDefender S.R.L.)
PRC - C:\Program Files\BitDefender\BitDefender 2011\pchooklaunch32.exe (BitDefender S.R.L.)
PRC - C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe (BitDefender S.R.L.)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\ashttpf.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\procinfo.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\ashttpfr.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\UI\imsecurityal.ui ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\containerdatasp.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\UI\accessl.ui ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\ashttprbl.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\midasdp.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\framework.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\midasal.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\asimdsp.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\bdmltusrsrv.dll ()
MOD - \\?\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\smartscnal.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\ashttpbr.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\knownfilessp.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\txmlutil.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\ashttpdsp.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\UI\detectsmtpsettings.ui ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\accessl.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\connector.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\excludemgr.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\strdecoder.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\asimf.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\ashttpph.mdl ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\as2core\asimbr.mdl ()
MOD - C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\smartscn.dll ()
MOD - C:\Program Files\BitDefender\BitDefender 2011\bdfwcore.dll ()
MOD - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
MOD - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
MOD - C:\WINDOWS\system32\PDFreDirectMonNT.dll ()


========== Services (SafeList) ==========

SRV - (VSSERV) -- C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe (BitDefender S.R.L.)
SRV - (Updatesrv) -- C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe (BitDefender S.R.L.)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (Freemake Improver) -- C:\Documents and Settings\All Users\Application Data\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe (Freemake)
SRV - (Update Server) -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe (BitDefender)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (NMSAccess) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (SoundMAX Agent Service (default) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\kossbu\LOCALS~1\Temp\catchme.sys File not found
DRV - (bdfm) -- C:\WINDOWS\system32\drivers\bdfm.sys (BitDefender S.R.L. Bucharest, ROMANIA)
DRV - (bdselfpr) -- C:\Program Files\BitDefender\BitDefender 2011\bdselfpr.sys (BitDefender LLC)
DRV - (Trufos) -- C:\WINDOWS\system32\drivers\trufos.sys (BitDefender S.R.L.)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (truecrypt) -- C:\WINDOWS\system32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (bdfsfltr) -- C:\WINDOWS\system32\drivers\bdfsfltr.sys (BitDefender)
DRV - (avckf) -- C:\WINDOWS\system32\drivers\avckf.sys (BitDefender)
DRV - (avc3) -- C:\WINDOWS\system32\drivers\avc3.sys (BitDefender)
DRV - (Bdftdif) -- C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys (BitDefender LLC)
DRV - (Bdfndisf) -- C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdfndisf.sys (BitDefender)
DRV - (BdRawPr) -- C:\WINDOWS\system32\drivers\bdrawpr.sys (BITDEFENDER LLC)
DRV - (Bdvedisk) -- C:\WINDOWS\system32\drivers\bdvedisk.sys (BitDefender)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (epmntdrv) -- C:\WINDOWS\system32\epmntdrv.sys ()
DRV - (EuGdiDrv) -- C:\WINDOWS\system32\EuGdiDrv.sys ()
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledAddons: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.10
FF - prefs.js..extensions.enabledItems: {ab91efd4-6975-4081-8552-1b3922ed79e2}:1.0.6.1
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.7
FF - prefs.js..extensions.enabledItems: FFToolbar@bitdefender.com:2.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\FFToolbar@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2011\bdaphffext\ [2012/11/04 12:25:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/21 21:58:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/21 21:58:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\bdThunderbird@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2011\bdtbext\ [2012/11/04 12:25:57 | 000,000,000 | ---D | M]

[2011/11/07 18:12:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\kossbu\Application Data\Mozilla\Extensions
[2011/11/07 18:12:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\kossbu\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/11/28 23:03:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\kossbu\Application Data\Mozilla\Firefox\Profiles\in8pm2dt.default\extensions
[2012/09/26 00:06:53 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\kossbu\Application Data\Mozilla\Firefox\Profiles\in8pm2dt.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/09/21 21:59:20 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\kossbu\Application Data\Mozilla\Firefox\Profiles\in8pm2dt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2012/09/21 21:58:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/05 20:27:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/09/05 20:26:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/11/28 11:54:01 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bitdefender Toolbar) - {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2011\ietoolbar.dll (BitDefender S.R.L.)
O4 - HKLM..\Run: [BDAgent] C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2011\ieshow.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340531651984 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340531631453 (MUWebControl Class)
O16 - DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} http://76.200.196.89:85/WebClient.cab (WebClient Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://esource.ohiohealth.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=928 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A1EC5310-D9B5-4C3E-BF7D-E9700B4DEF9D}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/kossbu/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\kossbu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\kossbu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/29 09:18:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/28 22:49:27 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kossbu\Desktop\OTL.exe
[2012/11/28 22:24:17 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\kossbu\Desktop\esetsmartinstaller_enu.exe
[2012/11/28 22:06:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/11/28 21:40:46 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\kossbu\Desktop\aswMBR.exe
[2012/11/28 21:40:35 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\kossbu\Desktop\tdsskiller.exe
[2012/11/28 21:13:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/11/27 20:20:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/11/27 20:17:19 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/11/27 20:17:19 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/11/27 20:17:19 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/11/27 20:17:19 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/11/27 20:14:23 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/11/27 20:13:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/11/27 20:11:07 | 005,007,302 | R--- | C] (Swearware) -- C:\Documents and Settings\kossbu\Desktop\ComboFix.exe
[2012/11/27 00:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\QuickScan
[2012/11/26 23:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Desktop\backups
[2012/11/26 21:59:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Desktop\RK_Quarantine
[2012/11/26 21:20:48 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/11/26 21:16:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\kossbu\Start Menu\Programs\Administrative Tools
[2012/11/26 21:15:43 | 000,688,992 | R--- | C] (Swearware) -- C:\Documents and Settings\kossbu\Desktop\dds.com
[2012/11/26 20:55:06 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\kossbu\Desktop\HijackThis.exe
[2012/11/21 08:49:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Desktop\Move2
[2012/11/20 23:25:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\My Documents\2012_11_20
[2012/11/16 10:48:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Desktop\Move
[2012/11/15 19:22:01 | 000,000,000 | R--D | C] -- C:\ESD
[2012/11/11 14:57:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2012/11/11 13:02:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2012/11/11 13:02:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Application Data\Canon
[2012/11/11 13:01:04 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenuEX
[2012/11/11 13:00:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
[2012/11/11 12:59:26 | 000,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbprint.sys
[2012/11/11 12:59:14 | 001,335,296 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC280C.dll
[2012/11/11 12:59:14 | 000,307,200 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC280L.dll
[2012/11/11 12:59:14 | 000,114,688 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC280I.dll
[2012/11/11 12:59:13 | 000,106,496 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNC280U.dll
[2012/11/11 12:59:13 | 000,015,872 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNHMCA.dll
[2012/11/11 12:59:12 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2012/11/11 12:58:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJMSetup
[2012/11/11 12:58:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon MP280 series User Registration
[2012/11/11 12:58:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
[2012/11/11 12:57:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon Utilities
[2012/11/11 12:57:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2012/11/11 12:57:07 | 000,290,816 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNMLMAA.DLL
[2012/11/11 12:57:04 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\CanonIJ Uninstaller Information
[2012/11/11 12:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Canon MP280 series
[2012/11/11 12:56:59 | 000,094,208 | ---- | C] (Canon Inc.) -- C:\WINDOWS\System32\CNC280O.dll
[2012/11/11 12:56:57 | 000,180,224 | ---- | C] (CANON INC.) -- C:\WINDOWS\System32\CNMIUAA.DLL
[2012/11/11 12:56:40 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2012/11/11 12:55:31 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2012/11/07 18:47:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\My Documents\2012-11-07
[2012/11/05 13:43:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\My Documents\Renters
[2012/11/03 23:49:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\kossbu\My Documents\My Videos
[2012/11/03 23:22:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\My Documents\My Streaming Media
[2012/11/03 23:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Local Settings\Application Data\Jaksta_Technologies_Pty_L
[2012/11/03 23:20:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Applian Technologies
[2012/11/03 23:20:15 | 000,000,000 | ---D | C] -- C:\Program Files\Applian Technologies
[2012/11/03 23:19:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applian
[2012/11/03 21:02:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\BitDefender 2011
[2012/11/03 21:02:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Application Data\BitDefender
[2012/11/03 20:57:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\c75b0000-a4c5-4045-8f93-8c8539712595
[2012/11/03 20:48:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\kossbu\Application Data\QuickScan
[2012/11/03 20:47:56 | 000,306,320 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\trufos.sys
[2012/11/03 20:47:55 | 000,353,096 | ---- | C] (BitDefender) -- C:\WINDOWS\System32\drivers\bdfsfltr.sys
[2012/11/03 20:47:55 | 000,012,960 | ---- | C] (BITDEFENDER LLC) -- C:\WINDOWS\System32\drivers\bdrawpr.sys
[2012/10/13 14:40:38 | 003,977,216 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_NYcalc.dll
[2012/05/18 23:08:11 | 001,393,736 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\kossbu\gotomypc_635.exe
[2012/04/10 12:05:38 | 001,290,240 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_NJcalc.dll
[2012/04/10 11:03:57 | 001,732,608 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_INcalc.dll
[2012/02/22 18:43:26 | 001,884,160 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_IAcalc.dll
[2012/02/22 18:42:58 | 003,112,960 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_MIcalc.dll
[2012/02/22 18:42:28 | 001,048,576 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_ILcalc.dll
[2012/02/07 15:58:11 | 001,118,208 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_OHcalc.dll
[2012/02/07 15:53:40 | 001,802,752 | ---- | C] (www.is-soft.de - www.pdf-analyzer.com) -- C:\Program Files\PDFText.dll
[2012/02/07 15:53:40 | 001,455,616 | ---- | C] (POLESTARSOFT.com) -- C:\Program Files\HTMLCapture.dll
[2012/02/07 15:53:40 | 001,404,928 | ---- | C] (DynaForms) -- C:\Program Files\Dynapdf.dll
[2012/02/07 15:53:40 | 000,126,976 | ---- | C] (Symbol Technologies, Inc.) -- C:\Program Files\Taxpdf.dll
[2012/02/07 15:53:37 | 011,058,256 | ---- | C] (2nd Story Software) -- C:\Program Files\TaxACT11.exe
[2012/02/07 15:53:37 | 001,220,608 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_FedPrint.dll
[2012/02/07 15:53:34 | 016,531,456 | ---- | C] (2nd Story Software, Inc.) -- C:\Program Files\1040_FedCalc.dll
[3 C:\Documents and Settings\kossbu\Desktop\*.tmp files -> C:\Documents and Settings\kossbu\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\kossbu\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\kossbu\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/28 23:14:53 | 000,492,614 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/28 23:14:53 | 000,083,262 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/11/28 23:10:39 | 000,000,507 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/11/28 23:10:00 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/28 23:09:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/28 23:02:35 | 052,428,800 | ---- | M] () -- C:\Documents and Settings\kossbu\Desktop\Malware
[2012/11/28 22:49:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kossbu\Desktop\OTL.exe
[2012/11/28 22:24:30 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\kossbu\Desktop\esetsmartinstaller_enu.exe
[2012/11/28 22:04:42 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\kossbu\Desktop\MBR.dat
[2012/11/28 21:41:29 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\kossbu\Desktop\aswMBR.exe
[2012/11/28 21:40:55 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\kossbu\Desktop\tdsskiller.exe
[2012/11/28 21:25:55 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\kossbu\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2012/11/28 11:54:01 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/11/27 20:20:56 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/11/27 20:11:49 | 005,007,302 | R--- | M] (Swearware) -- C:\Documents and Settings\kossbu\Desktop\ComboFix.exe
[2012/11/27 08:47:25 | 000,856,731 | ---- | M] () -- C:\Documents and Settings\kossbu\Desktop\SecurityCheck.exe
[2012/11/26 22:19:29 | 000,004,426 | ---- | M] () -- C:\Documents and Settings\kossbu\Desktop\attach.zip
[2012/11/26 21:41:29 | 000,752,128 | ---- | M] () -- C:\Documents and Settings\kossbu\Desktop\RogueKiller.exe
[2012/11/26 21:15:34 | 000,688,992 | R--- | M] (Swearware) -- C:\Documents and Settings\kossbu\Desktop\dds.com
[2012/11/26 20:12:42 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\kossbu\Desktop\HijackThis.exe
[2012/11/21 08:43:12 | 000,002,513 | ---- | M] () -- C:\Documents and Settings\kossbu\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk
[2012/11/20 23:22:36 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/11/16 06:18:03 | 2229,665,792 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Win8Pro.iso
[2012/11/14 09:07:20 | 000,000,084 | ---- | M] () -- C:\WINDOWS\TaxACT10.ini
[2012/11/13 17:40:26 | 000,149,504 | ---- | M] () -- C:\Documents and Settings\kossbu\Application Data\SharedSettings.ccs
[2012/11/11 06:21:22 | 000,054,784 | ---- | M] () -- C:\Documents and Settings\kossbu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/11/11 01:54:50 | 157,892,144 | ---- | M] () -- C:\Documents and Settings\kossbu\My Documents\Misfits 04X01 - VOSTFR.mp4
[2012/11/10 22:05:48 | 000,000,048 | ---- | M] () -- C:\WINDOWS\TaxACT11.ini
[2012/11/03 21:54:07 | 000,153,440 | ---- | M] (BitDefender S.R.L. Bucharest, ROMANIA) -- C:\WINDOWS\System32\drivers\bdfm.sys
[2012/11/03 21:49:46 | 000,306,320 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\trufos.sys
[2012/11/03 21:26:41 | 000,177,913 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2012/11/03 20:00:43 | 000,000,052 | ---- | M] () -- C:\WINDOWS\System32\ashttpstats.csv
[2012/11/03 19:12:13 | 000,000,376 | ---- | M] () -- C:\Documents and Settings\kossbu\Application Dataprivacy.xml
[3 C:\Documents and Settings\kossbu\Desktop\*.tmp files -> C:\Documents and Settings\kossbu\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\kossbu\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\kossbu\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/28 23:02:32 | 052,428,800 | ---- | C] () -- C:\Documents and Settings\kossbu\Desktop\Malware
[2012/11/28 22:04:42 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\kossbu\Desktop\MBR.dat
[2012/11/27 20:20:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/11/27 20:20:49 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/11/27 20:17:19 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/11/27 20:17:19 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/11/27 20:17:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/11/27 20:17:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/11/27 20:17:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/11/27 08:47:31 | 000,856,731 | ---- | C] () -- C:\Documents and Settings\kossbu\Desktop\SecurityCheck.exe
[2012/11/26 22:19:29 | 000,004,426 | ---- | C] () -- C:\Documents and Settings\kossbu\Desktop\attach.zip
[2012/11/26 21:41:33 | 000,752,128 | ---- | C] () -- C:\Documents and Settings\kossbu\Desktop\RogueKiller.exe
[2012/11/16 09:59:49 | 2229,665,792 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Win8Pro.iso
[2012/11/11 12:59:14 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\CNC1746D.TBL
[2012/11/11 00:11:46 | 157,892,144 | ---- | C] () -- C:\Documents and Settings\kossbu\My Documents\Misfits 04X01 - VOSTFR.mp4
[2012/11/03 20:47:54 | 000,177,913 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bdinstall.bin
[2012/10/13 14:40:38 | 004,171,236 | ---- | C] () -- C:\Program Files\1040_NY.dat
[2012/10/13 14:40:38 | 003,622,119 | ---- | C] () -- C:\Program Files\1040_NYprint.dat
[2012/10/13 14:40:38 | 002,731,231 | ---- | C] () -- C:\Program Files\1040_NY instructions.dat
[2012/10/13 14:40:38 | 000,010,048 | ---- | C] () -- C:\Program Files\1040_NY learn more.dat
[2012/08/26 08:20:54 | 000,000,084 | ---- | C] () -- C:\WINDOWS\TaxACT10.ini
[2012/08/19 10:03:21 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\kossbu\Local Settings\Application Data\d3d9caps.dat
[2012/06/27 09:21:15 | 000,170,304 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/04/10 12:05:38 | 000,936,065 | ---- | C] () -- C:\Program Files\1040_NJ.dat
[2012/04/10 12:05:38 | 000,795,919 | ---- | C] () -- C:\Program Files\1040_NJ instructions.dat
[2012/04/10 12:05:38 | 000,627,965 | ---- | C] () -- C:\Program Files\1040_NJprint.dat
[2012/04/10 12:05:38 | 000,003,021 | ---- | C] () -- C:\Program Files\1040_NJ learn more.dat
[2012/04/10 11:03:58 | 001,709,708 | ---- | C] () -- C:\Program Files\1040_IN instructions.dat
[2012/04/10 11:03:58 | 001,023,674 | ---- | C] () -- C:\Program Files\1040_INprint.dat
[2012/04/10 11:03:58 | 000,009,500 | ---- | C] () -- C:\Program Files\1040_IN learn more.dat
[2012/04/10 11:03:57 | 001,234,232 | ---- | C] () -- C:\Program Files\1040_IN.dat
[2012/03/24 00:35:40 | 000,054,784 | ---- | C] () -- C:\Documents and Settings\kossbu\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/23 16:58:24 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/02/25 02:49:28 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/22 18:43:26 | 001,721,714 | ---- | C] () -- C:\Program Files\1040_IA.dat
[2012/02/22 18:43:26 | 000,983,008 | ---- | C] () -- C:\Program Files\1040_IAprint.dat
[2012/02/22 18:43:26 | 000,445,494 | ---- | C] () -- C:\Program Files\1040_IA instructions.dat
[2012/02/22 18:43:26 | 000,001,035 | ---- | C] () -- C:\Program Files\1040_IA learn more.dat
[2012/02/22 18:42:58 | 003,327,006 | ---- | C] () -- C:\Program Files\1040_MI.dat
[2012/02/22 18:42:58 | 002,182,915 | ---- | C] () -- C:\Program Files\1040_MIprint.dat
[2012/02/22 18:42:58 | 000,920,994 | ---- | C] () -- C:\Program Files\1040_MI instructions.dat
[2012/02/22 18:42:58 | 000,000,929 | ---- | C] () -- C:\Program Files\1040_MI learn more.dat
[2012/02/22 18:42:28 | 000,878,218 | ---- | C] () -- C:\Program Files\1040_ILprint.dat
[2012/02/22 18:42:28 | 000,765,402 | ---- | C] () -- C:\Program Files\1040_IL.dat
[2012/02/22 18:42:28 | 000,536,742 | ---- | C] () -- C:\Program Files\1040_IL instructions.dat
[2012/02/22 18:42:28 | 000,000,797 | ---- | C] () -- C:\Program Files\1040_IL learn more.dat
[2012/02/07 15:58:11 | 000,854,727 | ---- | C] () -- C:\Program Files\1040_OH.dat
[2012/02/07 15:58:11 | 000,820,358 | ---- | C] () -- C:\Program Files\1040_OHprint.dat
[2012/02/07 15:58:11 | 000,707,944 | ---- | C] () -- C:\Program Files\1040_OH instructions.dat
[2012/02/07 15:58:11 | 000,269,736 | ---- | C] () -- C:\Program Files\UnStTax.exe
[2012/02/07 15:58:11 | 000,152,064 | ---- | C] () -- C:\Program Files\Unstate.exe
[2012/02/07 15:58:11 | 000,002,977 | ---- | C] () -- C:\Program Files\1040_OH learn more.dat
[2012/02/07 15:53:41 | 000,476,099 | ---- | C] () -- C:\Program Files\1040_Learn More.dat
[2012/02/07 15:53:41 | 000,286,848 | ---- | C] () -- C:\Program Files\Unta11.exe
[2012/02/07 15:53:41 | 000,152,064 | ---- | C] () -- C:\Program Files\Unwise32.exe
[2012/02/07 15:53:41 | 000,020,208 | ---- | C] () -- C:\Program Files\sssocra.fon
[2012/02/07 15:53:41 | 000,000,438 | ---- | C] () -- C:\Program Files\1040PrepModuleInfo11.ini
[2012/02/07 15:53:41 | 000,000,048 | ---- | C] () -- C:\WINDOWS\TaxACT11.ini
[2012/02/07 15:53:40 | 008,249,310 | ---- | C] () -- C:\Program Files\1040_Federal Instructions.dat
[2012/02/07 15:53:40 | 000,637,474 | ---- | C] () -- C:\Program Files\1040_Program Help.dat
[2012/02/07 15:53:40 | 000,240,720 | ---- | C] () -- C:\Program Files\UpdateMgr.exe
[2012/02/07 15:53:37 | 009,790,082 | ---- | C] () -- C:\Program Files\1040_FedPrint.dat
[2012/02/07 15:53:34 | 021,369,383 | ---- | C] () -- C:\Program Files\1040_Federal.dat
[2011/12/19 22:04:36 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011/12/19 14:10:51 | 000,158,682 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/11/21 17:51:36 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2011/11/21 17:01:21 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2011/11/08 18:42:34 | 001,663,488 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2011/11/08 18:42:34 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2011/11/08 18:42:34 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2011/11/08 18:42:33 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2011/11/08 18:42:33 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2011/11/08 18:32:01 | 000,149,504 | ---- | C] () -- C:\Documents and Settings\kossbu\Application Data\SharedSettings.ccs
[2011/11/06 19:37:56 | 000,000,440 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/11/06 19:04:20 | 000,000,376 | ---- | C] () -- C:\Documents and Settings\kossbu\Application Dataprivacy.xml
[2011/11/02 02:17:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/11/02 01:46:03 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\asdict.dat
[2011/11/02 01:46:03 | 000,000,004 | ---- | C] () -- C:\WINDOWS\System32\aspdict-en.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\wsbl.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\phar_unmip.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\phar_histprot.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_white.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_summ.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ph_black.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pcwords2.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pcwords.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_webproxy.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_video.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_tabloids.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_socialnetworks.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_searchengines.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_regionaltlds.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_pornography.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_onlineshop.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_onlinepay.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_onlinedating.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_news.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_im.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_illegal.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_hate.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_games.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_gambling.dat
[2011/11/02 00:53:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\pc_drugs.dat
[2011/11/02 00:23:17 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\kossbu\Application Data\bdfvconp.ini
[2011/11/02 00:23:13 | 000,000,850 | ---- | C] () -- C:\Documents and Settings\kossbu\Application DataProductTweaks.xml
[2011/11/02 00:23:13 | 000,000,385 | ---- | C] () -- C:\Documents and Settings\kossbu\Application Datauser_gensett.xml
[2011/11/01 17:44:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/09/12 05:15:43 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2011/05/16 13:31:44 | 000,008,592 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2010/07/08 09:37:14 | 000,101,544 | ---- | C] () -- C:\Program Files\Common Files\LinkInstaller.exe

========== ZeroAccess Check ==========

[2012/05/20 22:40:26 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/12/19 03:53:33 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/08/21 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\Program Files\Question Writer 4:{68006700-7000-4D00-6500-520067006C00}

< End of report >

Edited by TaxPro, 28 November 2012 - 11:36 PM.


#15 TaxPro

TaxPro
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 29 November 2012 - 12:04 AM

Are there special steps that I need to take to remove ComboFix or any of the other tools that we have used?

BMK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users