haysee5

I ran Combo-fix as instructed. About halfway through it offered to update mto a newer version, so I did. Then I ran it again and got the report below. Also, recently I booted the computer and it hung and gave me the following message: "A script on this page may be busy, etc. etc. - Script:resource:///modules/dbviewWrapper.235 - I din't know if that was anything to worry about. This was before running Combofix this time. Also, after running Combofix, my Thunderbird plug-ins were uninstalled or disabled, with the exception of AdBlock Plus 2.2.1. ComboFix 13-01-17.03 - Tom 01/17/2013 8:54.4.2 - x86 Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt * Created a new restore point . FILE :: "c:\documents and settings\Tom\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\4\1a31a9c4-4cc38813" "c:\documents and settings\Tom\My Documents\Downloads\cnet_PSViewerSetup_exe.exe" "c:\documents and settings\Tom\My Documents\Downloads\cnet_Stock-Kid-2009_zip.exe" "c:\documents and settings\Tom\My Documents\Downloads\cnet2_AlmytaInventoryDistributor12_exe.exe" "c:\documents and settings\Tom\My Documents\Downloads\YouTubeDownloaderSetup35.exe" "c:\documents and settings\Tom\wgsdgsdgdsgsd.exe" "c:\program files\Adobe\Adobe Dreamweaver CS5\Activation Blocker.cmd" . . ((((((((((((((((((((((((( Files Created from 2012-12-17 to 2013-01-17 ))))))))))))))))))))))))))))))) . . 2013-01-17 14:20 . 2013-01-17 14:20 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CCBB6587-4541-485A-A739-9A6C740B38A4}\MpKslbee415fd.sys 2013-01-16 22:18 . 2013-01-16 22:18 60872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CCBB6587-4541-485A-A739-9A6C740B38A4}\offreg.dll 2013-01-16 22:05 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CCBB6587-4541-485A-A739-9A6C740B38A4}\mpengine.dll 2013-01-15 22:06 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-01-10 17:42 . 2013-01-10 17:42 -------- d-----w- C:\Temp 2013-01-07 15:17 . 2009-10-21 21:29 320512 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp101.dll 2013-01-07 15:17 . 2009-10-21 21:29 125440 ----a-w- c:\windows\system32\hpf3l101.dll 2013-01-07 15:17 . 2001-08-17 19:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys 2013-01-07 15:17 . 2001-08-17 19:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys 2013-01-07 15:14 . 2009-09-11 07:44 966656 ----a-w- c:\windows\system32\hpost_p04a.dll 2013-01-07 15:14 . 2009-09-11 07:44 887296 ----a-w- c:\windows\system32\hposwia_p04a.dll 2013-01-07 15:14 . 2009-09-11 07:44 315392 ----a-w- c:\windows\system32\hposc_p04a.dll 2012-12-28 12:04 . 2012-12-28 12:04 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Sun 2012-12-28 11:30 . 2012-12-28 11:30 -------- d-----w- c:\program files\CCleaner 2012-12-28 11:22 . 2012-12-28 11:22 -------- d-----w- c:\program files\Common Files\Java 2012-12-28 11:22 . 2012-12-28 11:22 143872 ----a-w- c:\windows\system32\javacpl.cpl 2012-12-28 11:22 . 2012-12-28 11:22 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2012-12-28 11:22 . 2012-12-28 11:22 -------- d-----w- c:\program files\Java 2012-12-28 11:12 . 2012-12-28 11:12 -------- d-----w- c:\program files\VS Revo Group 2012-12-26 08:06 . 2012-12-26 08:06 -------- d-----w- C:\_OTL 2012-12-18 19:44 . 2012-12-18 19:44 -------- d-----w- c:\documents and settings\Administrator.HAYSEEDHOMEBASE 2012-12-18 19:10 . 2012-12-18 19:10 -------- d-----w- C:\TDSSKiller_Quarantine . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-28 11:22 . 2011-06-01 17:27 779704 ----a-w- c:\windows\system32\deployJava1.dll 2012-12-16 12:23 . 2003-03-31 07:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-12-14 22:49 . 2012-12-12 18:15 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-12 09:16 . 2012-04-15 01:39 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-12 09:16 . 2011-05-29 02:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-11-13 01:25 . 2003-03-31 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-06 02:01 . 2011-05-23 07:33 1371648 ------w- c:\windows\system32\msxml6.dll 2012-11-02 02:02 . 2003-03-31 07:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 07:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 07:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2011-05-23 07:33 385024 ------w- c:\windows\system32\html.iec 2013-01-11 06:24 . 2013-01-11 06:24 262704 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2012-12-05 05:53 . 5744FFF8E72D105C138DAE9E17BB29FE . 916960 . . [17.0.1] . . c:\windows\erdnt\cache\firefox.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2012-12-05 04:23 1019976 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2012-12-05 04:23 1019976 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2012-12-05 04:23 1019976 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2010-11-23 500992] "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2010-11-23 38144] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-12-05 1065032] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Tom\Start Menu\Programs\Startup\ Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-4-29 1699840] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"= "c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"= "c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 bskrlhyv;bskrlhyv;c:\windows\system32\drivers\bskrlhyv.sys [x] R1 cacbqskf;cacbqskf;c:\windows\system32\drivers\cacbqskf.sys [x] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x] R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [x] S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x] S2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [x] S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x] S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x] S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys [x] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSLBEE415FD . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-01-17 c:\windows\Tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-06-28 22:42] . 2013-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06] . 2013-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06] . 2013-01-16 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25] . 2013-01-17 c:\windows\Tasks\WpsUpdateTask_Tom.job - c:\program files\Kingsoft\Kingsoft Spreadsheets\office6\wpsupdate.exe [2011-11-03 16:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\l1rbtjv8.default-1356546181171\ FF - prefs.js: browser.search.selectedEngine - Bing FF - ExtSQL: 2012-12-04 23:53; {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} FF - ExtSQL: 2012-12-26 20:10; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\l1rbtjv8.default-1356546181171\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi FF - ExtSQL: !HIDDEN! 2011-05-27 14:59; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-17 08:57 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(2060) c:\windows\system32\WININET.dll c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-01-17 08:58:20 ComboFix-quarantined-files.txt 2013-01-17 14:58 ComboFix2.txt 2013-01-17 14:28 ComboFix3.txt 2012-12-27 01:58 ComboFix4.txt 2012-12-21 01:18 . Pre-Run: 441,622,667,264 bytes free Post-Run: 441,614,798,848 bytes free . - - End Of File - - EACFCB7881A69682E8478A49F93F7AC6

My apologies, Gringo. I have been swamped with business, but am trying to break loose and finish your last instructions. Tom

Hello again, Gringo. I haven't had my search-engine re-direct problem for some time now, however ESET detected 10 threats on my machine so I guess there is still work to do. Here is ESET SCAN: C:\Documents and Settings\Tom\wgsdgsdgdsgsd.exe a variant of Win32/Kryptik.ARUD trojan C:\Documents and Settings\Tom\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\4\1a31a9c4-4cc38813 a variant of Win32/Kryptik.ARUD trojan C:\Documents and Settings\Tom\My Documents\Downloads\cnet2_AlmytaInventoryDistributor12_exe.exe a variant of Win32/InstallCore.D application C:\Documents and Settings\Tom\My Documents\Downloads\cnet_PSViewerSetup_exe.exe a variant of Win32/InstallCore.D application C:\Documents and Settings\Tom\My Documents\Downloads\cnet_Stock-Kid-2009_zip.exe a variant of Win32/InstallCore.D application C:\Documents and Settings\Tom\My Documents\Downloads\YouTubeDownloaderSetup35.exe Win32/Toolbar.Widgi application C:\Program Files\Adobe\Adobe Dreamweaver CS5\Activation Blocker.cmd BAT/HostsChanger.A application C:\System Volume Information\_restore{FD1E5A5F-613B-403E-9635-1CCDCBEBB524}\RP766\A0081374.ocx Win32/Adware.MultiPlug.D application C:\System Volume Information\_restore{FD1E5A5F-613B-403E-9635-1CCDCBEBB524}\RP767\A0081414.exe a variant of Win32/InstallCore.D application Operating memory multiple threats

Very sorry. We have been swamped with orders since the beginning of the year, but we are trying to make time to take the steps that you suggested, i.e. eset . Thanks, Tom

I couldn't do anything with Eset, because I don't have Internet Explorer. Is there something i can use with Thunderbird? I did remove the unwanted start-up programs. Thanks, Tom

Hi, Gringo. All is still well. No redirects, no problems. Is it safe to turn on my Carbonite Backup again? Here are the logs: Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2012.12.28.05 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Tom :: HAYSEEDHOMEBASE [administrator] 12/28/2012 5:35:42 AM mbam-log-2012-12-28 (05-35-42).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 240290 Time elapsed: 4 minute(s), 15 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) HiJack This log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 5:52:44 AM, on 12/28/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Client\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE C:\Program Files\LogMeIn Hamachi\hamachi-2.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe C:\Program Files\Calibrize\CalibrizeResume.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\WINDOWS\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Documents and Settings\Tom\My Documents\Downloads\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Radio365Agent] C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe" O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe" O4 - HKCU\..\Run: [Flashpaste] C:\Program Files\Flashpaste\flashpaste.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun O4 - HKCU\..\Run: [CGFLoader] C:\Program Files\Calibrize\CalibrizeLoader.exe O4 - HKCU\..\Run: [CalibrizeResume] C:\Program Files\Calibrize\CalibrizeResume.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe O23 - Service: EPSON V3 Service4(05) (EPSON_PM_RPCV4_05) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 7406 bytes

After Combofix, I'm still doing fine - not having any problems with search engine re-directs. Lost a Thunderbird extension, maybe two (Ad Blocker Plus with Fanboy's list) but reinstalled with no problems. Have restarted Microsoft Security Essentials. Reinstalled Carbonite, connectivity problem there is now gone. NOTE: I have put Carbonite on pause, as I wanted to ask you if there was the possibility that the virus might be in my on-line back-up, too? Here is the log from cf: ComboFix 12-12-20.02 - Tom 12/26/2012 19:52:15.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1952 [GMT -6:00] Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\drivers\etc\hosts.ics . . ((((((((((((((((((((((((( Files Created from 2012-11-27 to 2012-12-27 ))))))))))))))))))))))))))))))) . . 2012-12-27 01:50 . 2012-12-27 01:50 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CEFF535-8B9B-48F4-9966-E12B9DD78126}\MpKsl8f60d92d.sys 2012-12-26 17:20 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CEFF535-8B9B-48F4-9966-E12B9DD78126}\mpengine.dll 2012-12-26 08:06 . 2012-12-26 08:06 -------- d-----w- C:\_OTL 2012-12-18 19:44 . 2012-12-18 19:44 -------- d-----w- c:\documents and settings\Administrator.HAYSEEDHOMEBASE 2012-12-18 19:10 . 2012-12-18 19:10 -------- d-----w- C:\TDSSKiller_Quarantine 2012-12-14 23:19 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-12-14 22:20 . 2012-12-14 22:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Deployment 2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes 2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-12-12 18:15 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-11 18:18 . 2011-12-12 23:43 1034240 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys 2012-12-11 18:18 . 2010-02-03 17:21 89088 ----a-w- c:\windows\system32\ATL71.DLL . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-16 12:23 . 2003-03-31 07:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-12-12 09:16 . 2012-04-15 01:39 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-12 09:16 . 2011-05-29 02:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-11-13 01:25 . 2003-03-31 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-02 02:02 . 2003-03-31 07:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 07:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 07:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2011-05-23 07:33 385024 ------w- c:\windows\system32\html.iec 2012-10-02 18:04 . 2003-03-31 07:00 58368 ----a-w- c:\windows\system32\synceng.dll 2012-12-05 05:53 . 2012-12-05 05:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Radio365Agent"="c:\program files\Live365\Radio365\Radio365TrayAgent.exe" [2011-04-13 1003520] "RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2010-11-23 500992] "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2010-11-23 38144] "Flashpaste"="c:\program files\Flashpaste\flashpaste.exe" [2011-04-17 643584] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408] "CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984] "CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-10-08 203072] "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-08-29 1061960] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Tom\Start Menu\Programs\Startup\ Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-4-29 1699840] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"= "c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"= "c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [5/27/2011 3:28 PM 218688] R1 MpKsl8f60d92d;MpKsl8f60d92d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CEFF535-8B9B-48F4-9966-E12B9DD78126}\MpKsl8f60d92d.sys [12/26/2012 7:50 PM 29904] R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [4/9/2012 12:36 PM 125440] R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 4:38 PM 1373576] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/12/2012 12:15 PM 399432] R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [12/11/2012 12:18 PM 1034240] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/12/2012 12:15 PM 22856] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/12/2012 12:15 PM 676936] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/23/2011 1:58 AM 1691480] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSL8F60D92D . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-12-26 c:\windows\Tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-06-28 22:42] . 2012-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06] . 2012-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06] . 2012-12-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25] . 2012-12-27 c:\windows\Tasks\WpsUpdateTask_Tom.job - c:\program files\Kingsoft\Kingsoft Spreadsheets\office6\wpsupdate.exe [2011-11-03 16:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\l1rbtjv8.default-1356546181171\ FF - prefs.js: browser.search.selectedEngine - Bing FF - ExtSQL: 2012-12-04 23:53; {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} FF - ExtSQL: 2012-12-04 23:53; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} FF - ExtSQL: !HIDDEN! 2011-05-27 14:59; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 . - - - - ORPHANS REMOVED - - - - . SafeBoot-63686105.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-26 19:57 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2012-12-26 19:58:49 ComboFix-quarantined-files.txt 2012-12-27 01:58 ComboFix2.txt 2012-12-21 01:18 . Pre-Run: 444,492,972,032 bytes free Post-Run: 444,649,738,240 bytes free . - - End Of File - - A3995334C4416F09F17B23E05519D308

Firefox home page is now back to using Google as its default search, as it should. Should I do anything else to clean up the Genieo installation? Thanks, Tom

Genieo was being used by the Firefox start page in Firefox 17.0.1 (running XP Pro). I said "Thunderbird" before. Sorry. Not enough Folgers in my cup. Thanks, Tom

Oops - the search engines are working normally now except when I use the search box in the middle of the Thunderbird start page. It takes me to Genieo. I changed my home page to Bing, so that is no longer a problem, but I don't know how Genieo got there, and nothing shows up in "Add or Uninstall Software" (in Control Panel) that I can uninstall. Is this part of the same problem and how should I proceed regarding this? Also, can I turn on the Windows Security Essentials real-time protection now? Thanks, Tom

Regarding search engine link hijack - I was unable to find the text report in notepad, however I tested Google, Yahoo Search, and Bing. All three search engines are working normally now and the links on their pages are no longer being hijacked and linked to other search engines or websites. At this point, it appears that the problem has been fixed. -Tom

Okay, I'm back. Before I paste the OTL report, I wanted to ask you if there was anything I should be doing with: 17:28:48.671 File: C:\Documents and Settings\All Users\Documents\Ham Radio\New Folder (2)\VXO\fast__auto.exe **INFECTED** Win32:Dropper-gen [Drp]. This was shown in the aswMBR report checked and this file appeared at roughly the same time as this problem started. I had a BSOD crash since we last corresponded as well. Here is the report file: OTL logfile created on: 12/23/2012 9:05:14 AM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Tom\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.50 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 74.71% Memory free 4.34 Gb Paging File | 3.91 Gb Available in Paging File | 90.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 465.75 Gb Total Space | 414.25 Gb Free Space | 88.94% Space Free | Partition Type: NTFS Drive D: | 82.44 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: HAYSEEDHOMEBASE | User Name: Tom | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Tom\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.) PRC - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.) PRC - C:\Program Files\Mozilla Thunderbird\thunderbird.exe (Mozilla Messaging) PRC - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE (SEIKO EPSON CORPORATION) PRC - C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe (RingCentral, Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Calibrize\CalibrizeResume.exe (Eberhard Werle) ========== Modules (No Company Name) ========== MOD - C:\Program Files\Mozilla Thunderbird\nsldappr32v60.dll () MOD - C:\Program Files\Mozilla Thunderbird\nsldap32v60.dll () MOD - C:\Program Files\Mozilla Thunderbird\mozjs.dll () ========== Services (SafeList) ========== SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation) SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.) SRV - (EPSON_PM_RPCV4_05) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE (SEIKO EPSON CORPORATION) ========== Driver Services (SafeList) ========== DRV - (WDICA) -- File not found DRV - (PDRFRAME) -- File not found DRV - (PDRELI) -- File not found DRV - (PDFRAME) -- File not found DRV - (PDCOMP) -- File not found DRV - (PCIDump) -- File not found DRV - (lbrtfdc) -- File not found DRV - (i2omgmt) -- File not found DRV - (dcubamvg) -- C:\WINDOWS\system32\drivers\dcubamvg.sys File not found DRV - (Changer) -- File not found DRV - (catchme) -- C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys File not found DRV - (adfs) -- File not found DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation) DRV - (BCMH43XX) -- C:\WINDOWS\system32\drivers\bcmwlhigh5.sys (Broadcom Corporation) DRV - (NVHDA) -- C:\WINDOWS\system32\drivers\nvhda32.sys (NVIDIA Corporation) DRV - (dtsoftbus01) -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys (DT Soft Ltd) DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (nvgts) -- C:\WINDOWS\system32\drivers\nvgts.sys (NVIDIA Corporation) DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation) DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation) DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.) DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative) DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.) DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKLM\..\SearchScopes,DefaultScope = IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..\SearchScopes,DefaultScope = IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..\SearchScopes\{8E02D41C-5924-4816-9490-33CCD28BEB72}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms} IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12" FF - prefs.js..browser.search.selectedEngine: "Bing" FF - prefs.js..browser.search.useDBForOrder: true FF - prefs.js..browser.startup.homepage: "about:home" FF - prefs.js..extensions.enabledAddons: %7BCAFEEFAC-0016-0000-0033-ABCDEFFEDCBA%7D:6.0.33 FF - prefs.js..extensions.enabledAddons: %7BCAFEEFAC-0016-0000-0035-ABCDEFFEDCBA%7D:6.0.35 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1 FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.5 FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {ab91efd4-6975-4081-8552-1b3922ed79e2}:1.0.5.1 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29 FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/05/27 13:59:25 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/04 23:53:53 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/04 23:53:33 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/12/17 11:37:57 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/05/27 13:59:25 | 000,000,000 | ---D | M] [2011/05/28 07:13:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Extensions [2011/05/23 12:20:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} [2012/12/13 12:32:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions [2012/12/13 12:32:03 | 002,151,598 | ---- | M] () (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions\firebug@software.joehewitt.com.xpi [2012/11/23 10:40:14 | 000,804,627 | ---- | M] () (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012/12/04 23:53:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012/12/04 23:53:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012/12/04 23:53:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012/12/04 23:53:53 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011/03/21 07:22:04 | 001,680,272 | ---- | M] (Caminova, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll [2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll [2012/08/31 07:25:27 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012/10/11 20:14:13 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml ========== Chrome ========== CHR - homepage: http://websearch.mocaflix.com/ CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.2_0\ CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\ CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\ CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\ CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\ CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.4_0\ O1 HOSTS File: ([2012/12/20 19:16:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.) O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.) O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation) O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe () O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [bifröst II on HAYSEEDHOMEBASE (from HAYSEEDMOBILE)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHEA.EXE (SEIKO EPSON CORPORATION) O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [CalibrizeResume] C:\Program Files\Calibrize\CalibrizeResume.exe (Eberhard Werle) O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [CGFLoader] C:\Program Files\Calibrize\CalibrizeLoader.exe (Colorjinn) O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [Flashpaste] C:\Program Files\Flashpaste\Flashpaste.exe () O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [Radio365Agent] C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe (Live365) O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [RCHotKey] C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe (RingCentral, Inc.) O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [RCUI] C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe (RingCentral, Inc.) O4 - Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe (SourceForge.net) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O15 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..Trusted Domains: localhost ([]* in Local intranet) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6D82F982-3361-4870-9184-3A24BA5DD021}: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FE74D0E6-CA2A-403F-BC85-562B2EC95D2A}: DhcpNameServer = 192.168.1.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2011/05/23 00:52:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2008/02/22 10:43:08 | 000,358,248 | R--- | M] (NETGEAR Inc.) - D:\Autorun.exe -- [ CDFS ] O32 - AutoRun File - [2006/05/29 18:27:40 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/12/23 08:59:36 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe [2012/12/21 09:59:46 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Tom\Desktop\aswMBR.exe [2012/12/21 09:42:08 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Tom\Desktop\tdsskiller(1).exe [2012/12/20 19:18:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp [2012/12/20 19:10:55 | 000,000,000 | RHSD | C] -- C:\cmdcons [2012/12/20 19:09:24 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2012/12/20 19:09:24 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2012/12/20 19:09:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2012/12/20 19:09:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2012/12/20 19:09:05 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/12/20 19:08:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt [2012/12/20 19:05:17 | 005,012,825 | R--- | C] (Swearware) -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe [2012/12/20 15:21:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Desktop\RK_Quarantine [2012/12/20 12:14:44 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Tom\Desktop\HijackThis.exe [2012/12/19 09:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Upconverter [2012/12/18 13:10:21 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2012/12/14 16:20:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Local Settings\Application Data\Deployment [2012/12/12 12:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Application Data\Malwarebytes [2012/12/12 12:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/12/12 12:15:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2012/12/12 12:15:34 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/12/12 12:15:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/12/11 12:18:04 | 001,034,240 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\drivers\bcmwlhigh5.sys [2012/12/11 12:18:01 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ATL71.DLL [2012/12/10 04:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Cart32 [2012/12/04 23:53:02 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/12/23 08:59:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe [2012/12/23 08:54:00 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\WpsUpdateTask_Tom.job [2012/12/23 08:52:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job [2012/12/23 03:23:51 | 000,492,614 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/12/23 03:23:51 | 000,083,262 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/12/23 03:20:02 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/12/23 03:19:54 | 000,000,374 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics [2012/12/23 03:19:50 | 003,798,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/12/23 03:19:42 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\Wnorzxwzl.job [2012/12/23 03:19:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/12/23 02:00:00 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job [2012/12/22 23:52:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job [2012/12/21 21:35:06 | 000,018,505 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\crash2.jpg [2012/12/21 21:34:48 | 000,053,769 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\crash.jpg [2012/12/21 18:56:57 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\MBR.dat [2012/12/21 16:34:54 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Settings.cfg [2012/12/21 16:13:25 | 000,030,649 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\forecast.jpg [2012/12/21 09:59:47 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Tom\Desktop\aswMBR.exe [2012/12/21 09:42:13 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Tom\Desktop\tdsskiller(1).exe [2012/12/20 19:16:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2012/12/20 19:10:59 | 000,000,313 | RHS- | M] () -- C:\boot.ini [2012/12/20 19:05:30 | 005,012,825 | R--- | M] (Swearware) -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe [2012/12/20 16:36:13 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2012/12/20 15:20:20 | 000,756,224 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\RogueKiller.exe [2012/12/20 15:07:22 | 000,547,175 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\AdwCleaner.exe [2012/12/20 15:02:41 | 000,856,731 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\SecurityCheck(1).exe [2012/12/20 12:14:44 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Tom\Desktop\HijackThis.exe [2012/12/18 13:14:11 | 000,001,808 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2012/12/17 11:37:59 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk [2012/12/17 11:37:59 | 000,001,668 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk [2012/12/16 09:09:14 | 000,001,495 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\restore.vbs [2012/12/16 06:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll [2012/12/16 06:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll [2012/12/16 06:20:34 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/12/15 09:20:18 | 000,135,168 | RHS- | M] () -- C:\WINDOWS\System32\lfjbguw.dll [2012/12/12 21:54:14 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Google Chrome.lnk [2012/12/12 12:15:41 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/12/12 03:16:31 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe [2012/12/12 03:16:31 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl [2012/12/10 23:59:54 | 000,159,476 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\HazardFraught2ndtry.jpg [2012/12/10 23:54:05 | 000,159,476 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\HazardFraught.jpg [2012/12/10 11:21:26 | 000,030,878 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\flag2.jpg [2012/12/10 11:20:03 | 000,032,156 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\flag1.jpg [2012/12/05 12:05:50 | 000,001,056 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Kingsoft Spreadsheets.lnk [2012/11/28 05:45:58 | 000,111,812 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\Farland, Tom and Julia 2012-2013 Lease.pdf [2012/11/23 15:04:21 | 000,027,993 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\idwd.jpg [2012/11/23 14:45:24 | 000,006,660 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\ilike.jpg [2012/11/23 14:36:26 | 000,070,240 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\hillary-clinton-dejected.jpg [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/12/21 21:35:06 | 000,018,505 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\crash2.jpg [2012/12/21 21:34:48 | 000,053,769 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\crash.jpg [2012/12/21 18:56:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\MBR.dat [2012/12/21 13:33:47 | 000,030,649 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\forecast.jpg [2012/12/20 19:10:59 | 000,000,197 | ---- | C] () -- C:\Boot.bak [2012/12/20 19:10:56 | 000,260,272 | RHS- | C] () -- C:\cmldr [2012/12/20 19:09:24 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2012/12/20 19:09:24 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2012/12/20 19:09:24 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2012/12/20 19:09:24 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2012/12/20 19:09:24 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2012/12/20 15:20:13 | 000,756,224 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\RogueKiller.exe [2012/12/20 15:07:22 | 000,547,175 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\AdwCleaner.exe [2012/12/20 15:02:41 | 000,856,731 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\SecurityCheck(1).exe [2012/12/17 11:37:59 | 000,001,674 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Thunderbird.lnk [2012/12/16 09:09:14 | 000,001,495 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\restore.vbs [2012/12/16 06:21:35 | 000,201,448 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2012/12/15 09:20:18 | 000,135,168 | RHS- | C] () -- C:\WINDOWS\System32\lfjbguw.dll [2012/12/15 09:20:18 | 000,000,308 | ---- | C] () -- C:\WINDOWS\tasks\Wnorzxwzl.job [2012/12/12 12:15:41 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/12/10 23:59:54 | 000,159,476 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\HazardFraught2ndtry.jpg [2012/12/10 23:54:05 | 000,159,476 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\HazardFraught.jpg [2012/12/10 11:20:30 | 000,030,878 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\flag2.jpg [2012/12/10 11:20:03 | 000,032,156 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\flag1.jpg [2012/11/23 15:04:21 | 000,027,993 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\idwd.jpg [2012/11/23 14:45:24 | 000,006,660 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\ilike.jpg [2012/11/23 14:36:25 | 000,070,240 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\hillary-clinton-dejected.jpg [2012/10/05 10:59:25 | 000,048,076 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat [2012/07/31 15:08:44 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\Adobe BMP Format CS5 Prefs [2012/07/21 08:21:07 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc [2012/07/03 13:51:54 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\Adobe GIF Format CS5 Prefs [2012/02/15 11:53:06 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012/01/11 15:25:47 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini [2011/10/15 05:31:00 | 000,002,290 | ---- | C] () -- C:\WINDOWS\DigiPan.INI [2011/09/03 07:23:18 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2011/08/12 17:57:27 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat.temp [2011/07/03 17:55:50 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin [2011/07/03 17:55:50 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin [2011/07/03 17:55:50 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin [2011/07/03 17:55:32 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data [2011/06/08 20:14:17 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2011/06/01 18:44:11 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\Settings.cfg [2011/05/30 07:04:32 | 000,059,952 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE [2011/05/27 15:41:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2011/05/27 13:56:27 | 000,207,292 | ---- | C] () -- C:\WINDOWS\hpwins28.dat [2011/05/27 13:56:27 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat [2011/05/26 20:30:13 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/05/23 12:20:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2011/05/23 08:45:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2011/05/23 08:45:34 | 003,798,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2011/05/23 01:57:19 | 000,010,084 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin [2011/05/23 00:53:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2011/05/23 00:52:01 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat ========== ZeroAccess Check ========== [2012/01/11 15:21:09 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shdocvw.dll -- [2011/02/17 07:51:57 | 001,510,400 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 04:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both < End of report >

Sorry. Had to leave for a day. All is same as before, i.e. after a Google, Bing, etc. search engine page is opened, clicking any link on it causes the browser to be redirected to another search engine (Newsbusters, Scour, etc.) or sometimes to a random web-page. Here are the logs: 09:47:42.0263 2264 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35 09:47:42.0935 2264 ============================================================ 09:47:42.0935 2264 Current date / time: 2012/12/21 09:47:42.0935 09:47:42.0935 2264 SystemInfo: 09:47:42.0935 2264 09:47:42.0935 2264 OS Version: 5.1.2600 ServicePack: 3.0 09:47:42.0935 2264 Product type: Workstation 09:47:42.0935 2264 ComputerName: HAYSEEDHOMEBASE 09:47:42.0935 2264 UserName: Tom 09:47:42.0935 2264 Windows directory: C:\WINDOWS 09:47:42.0935 2264 System windows directory: C:\WINDOWS 09:47:42.0935 2264 Processor architecture: Intel x86 09:47:42.0935 2264 Number of processors: 2 09:47:42.0935 2264 Page size: 0x1000 09:47:42.0935 2264 Boot type: Normal boot 09:47:42.0935 2264 ============================================================ 09:47:44.0076 2264 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058 09:47:44.0076 2264 ============================================================ 09:47:44.0076 2264 \Device\Harddisk0\DR0: 09:47:44.0076 2264 MBR partitions: 09:47:44.0076 2264 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41 09:47:44.0076 2264 ============================================================ 09:47:44.0091 2264 C: <-> \Device\Harddisk0\DR0\Partition1 09:47:44.0091 2264 ============================================================ 09:47:44.0091 2264 Initialize success 09:47:44.0091 2264 ============================================================ 09:48:10.0341 1960 ============================================================ 09:48:10.0341 1960 Scan started 09:48:10.0341 1960 Mode: Manual; 09:48:10.0341 1960 ============================================================ 09:48:11.0716 1960 ================ Scan system memory ======================== 09:48:11.0716 1960 System memory - ok 09:48:11.0716 1960 ================ Scan services ============================= 09:48:11.0779 1960 Abiosdsk - ok 09:48:11.0779 1960 abp480n5 - ok 09:48:11.0826 1960 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys 09:48:11.0826 1960 ACPI - ok 09:48:11.0857 1960 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys 09:48:11.0857 1960 ACPIEC - ok 09:48:11.0873 1960 adfs - ok 09:48:11.0873 1960 adpu160m - ok 09:48:11.0904 1960 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys 09:48:11.0904 1960 aec - ok 09:48:11.0951 1960 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys 09:48:11.0951 1960 AFD - ok 09:48:11.0951 1960 Aha154x - ok 09:48:11.0951 1960 aic78u2 - ok 09:48:11.0966 1960 aic78xx - ok 09:48:11.0998 1960 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll 09:48:11.0998 1960 Alerter - ok 09:48:12.0029 1960 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe 09:48:12.0029 1960 ALG - ok 09:48:12.0029 1960 AliIde - ok 09:48:12.0091 1960 [ 267FC636801EDC5AB28E14036349E3BE ] Ambfilt C:\WINDOWS\system32\drivers\Ambfilt.sys 09:48:12.0138 1960 Ambfilt - ok 09:48:12.0138 1960 amsint - ok 09:48:12.0170 1960 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll 09:48:12.0170 1960 AppMgmt - ok 09:48:12.0185 1960 asc - ok 09:48:12.0185 1960 asc3350p - ok 09:48:12.0185 1960 asc3550 - ok 09:48:12.0263 1960 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe 09:48:12.0279 1960 aspnet_state - ok 09:48:12.0310 1960 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys 09:48:12.0310 1960 AsyncMac - ok 09:48:12.0326 1960 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys 09:48:12.0326 1960 atapi - ok 09:48:12.0326 1960 Atdisk - ok 09:48:12.0357 1960 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys 09:48:12.0357 1960 Atmarpc - ok 09:48:12.0373 1960 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll 09:48:12.0373 1960 AudioSrv - ok 09:48:12.0420 1960 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys 09:48:12.0420 1960 audstub - ok 09:48:12.0482 1960 [ BCDF72DCE41874B3AD9143D537B493B2 ] BCMH43XX C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys 09:48:12.0498 1960 BCMH43XX - ok 09:48:12.0529 1960 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys 09:48:12.0529 1960 Beep - ok 09:48:12.0545 1960 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll 09:48:12.0560 1960 BITS - ok 09:48:12.0591 1960 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll 09:48:12.0591 1960 Browser - ok 09:48:12.0670 1960 catchme - ok 09:48:12.0670 1960 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys 09:48:12.0685 1960 cbidf2k - ok 09:48:12.0685 1960 cd20xrnt - ok 09:48:12.0685 1960 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys 09:48:12.0685 1960 Cdaudio - ok 09:48:12.0701 1960 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys 09:48:12.0701 1960 Cdfs - ok 09:48:12.0716 1960 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys 09:48:12.0716 1960 Cdrom - ok 09:48:12.0716 1960 Changer - ok 09:48:12.0763 1960 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe 09:48:12.0763 1960 CiSvc - ok 09:48:12.0779 1960 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe 09:48:12.0779 1960 ClipSrv - ok 09:48:12.0841 1960 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 09:48:12.0841 1960 clr_optimization_v2.0.50727_32 - ok 09:48:12.0873 1960 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 09:48:12.0904 1960 clr_optimization_v4.0.30319_32 - ok 09:48:12.0904 1960 CmdIde - ok 09:48:12.0904 1960 COMSysApp - ok 09:48:12.0920 1960 Cpqarray - ok 09:48:12.0982 1960 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll 09:48:12.0982 1960 CryptSvc - ok 09:48:12.0998 1960 dac2w2k - ok 09:48:12.0998 1960 dac960nt - ok 09:48:13.0076 1960 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll 09:48:13.0076 1960 DcomLaunch - ok 09:48:13.0076 1960 dcubamvg - ok 09:48:13.0123 1960 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll 09:48:13.0138 1960 Dhcp - ok 09:48:13.0170 1960 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys 09:48:13.0170 1960 Disk - ok 09:48:13.0170 1960 dmadmin - ok 09:48:13.0185 1960 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys 09:48:13.0201 1960 dmboot - ok 09:48:13.0201 1960 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys 09:48:13.0216 1960 dmio - ok 09:48:13.0232 1960 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys 09:48:13.0232 1960 dmload - ok 09:48:13.0248 1960 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll 09:48:13.0248 1960 dmserver - ok 09:48:13.0295 1960 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys 09:48:13.0295 1960 DMusic - ok 09:48:13.0326 1960 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll 09:48:13.0326 1960 Dnscache - ok 09:48:13.0341 1960 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll 09:48:13.0341 1960 Dot3svc - ok 09:48:13.0341 1960 dpti2o - ok 09:48:13.0357 1960 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys 09:48:13.0357 1960 drmkaud - ok 09:48:13.0388 1960 [ 555E54AC2F601A8821CEF58961653991 ] dtsoftbus01 C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys 09:48:13.0388 1960 dtsoftbus01 - ok 09:48:13.0404 1960 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll 09:48:13.0420 1960 EapHost - ok 09:48:13.0482 1960 [ 59F66FC5F5A984C2060AD3363F69364A ] EPSON_PM_RPCV4_05 C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE 09:48:13.0498 1960 EPSON_PM_RPCV4_05 - ok 09:48:13.0513 1960 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll 09:48:13.0513 1960 ERSvc - ok 09:48:13.0545 1960 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe 09:48:13.0545 1960 Eventlog - ok 09:48:13.0607 1960 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll 09:48:13.0607 1960 EventSystem - ok 09:48:13.0623 1960 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys 09:48:13.0623 1960 Fastfat - ok 09:48:13.0638 1960 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll 09:48:13.0638 1960 FastUserSwitchingCompatibility - ok 09:48:13.0638 1960 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys 09:48:13.0638 1960 Fdc - ok 09:48:13.0685 1960 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys 09:48:13.0685 1960 Fips - ok 09:48:13.0685 1960 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys 09:48:13.0685 1960 Flpydisk - ok 09:48:13.0732 1960 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys 09:48:13.0732 1960 FltMgr - ok 09:48:13.0810 1960 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 09:48:13.0810 1960 FontCache3.0.0.0 - ok 09:48:13.0810 1960 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys 09:48:13.0810 1960 Fs_Rec - ok 09:48:13.0826 1960 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys 09:48:13.0826 1960 Ftdisk - ok 09:48:13.0857 1960 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys 09:48:13.0873 1960 Gpc - ok 09:48:13.0904 1960 [ 833051C6C6C42117191935F734CFBD97 ] hamachi C:\WINDOWS\system32\DRIVERS\hamachi.sys 09:48:13.0904 1960 hamachi - ok 09:48:13.0935 1960 [ FA89C0429821C7C429EEC7A0CE1C02D3 ] Hamachi2Svc C:\Program Files\LogMeIn Hamachi\hamachi-2.exe 09:48:13.0966 1960 Hamachi2Svc - ok 09:48:13.0982 1960 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 09:48:13.0982 1960 HDAudBus - ok 09:48:14.0045 1960 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll 09:48:14.0045 1960 helpsvc - ok 09:48:14.0045 1960 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll 09:48:14.0045 1960 HidServ - ok 09:48:14.0076 1960 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys 09:48:14.0076 1960 HidUsb - ok 09:48:14.0107 1960 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll 09:48:14.0107 1960 hkmsvc - ok 09:48:14.0107 1960 hpn - ok 09:48:14.0154 1960 [ 0A3C6AA4A9FC38C20BA4EAC2C3351C05 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll 09:48:14.0154 1960 hpqcxs08 - ok 09:48:14.0201 1960 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 09:48:14.0201 1960 HPZid412 - ok 09:48:14.0201 1960 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 09:48:14.0201 1960 HPZipr12 - ok 09:48:14.0201 1960 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 09:48:14.0216 1960 HPZius12 - ok 09:48:14.0263 1960 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys 09:48:14.0263 1960 HTTP - ok 09:48:14.0279 1960 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll 09:48:14.0279 1960 HTTPFilter - ok 09:48:14.0279 1960 i2omgmt - ok 09:48:14.0279 1960 i2omp - ok 09:48:14.0295 1960 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys 09:48:14.0295 1960 i8042prt - ok 09:48:14.0388 1960 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe 09:48:14.0404 1960 idsvc - ok 09:48:14.0420 1960 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys 09:48:14.0420 1960 Imapi - ok 09:48:14.0451 1960 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe 09:48:14.0451 1960 ImapiService - ok 09:48:14.0466 1960 ini910u - ok 09:48:14.0591 1960 [ 0503EB6F3359E1C6E4C46FEF376405EF ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys 09:48:14.0623 1960 IntcAzAudAddService - ok 09:48:14.0623 1960 IntelIde - ok 09:48:14.0670 1960 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys 09:48:14.0670 1960 ip6fw - ok 09:48:14.0701 1960 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 09:48:14.0701 1960 IpFilterDriver - ok 09:48:14.0701 1960 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys 09:48:14.0701 1960 IpInIp - ok 09:48:14.0732 1960 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys 09:48:14.0732 1960 IpNat - ok 09:48:14.0732 1960 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys 09:48:14.0732 1960 IPSec - ok 09:48:14.0748 1960 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys 09:48:14.0763 1960 IRENUM - ok 09:48:14.0779 1960 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys 09:48:14.0779 1960 isapnp - ok 09:48:14.0826 1960 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys 09:48:14.0826 1960 Kbdclass - ok 09:48:14.0826 1960 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys 09:48:14.0826 1960 kbdhid - ok 09:48:14.0873 1960 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys 09:48:14.0873 1960 kmixer - ok 09:48:14.0920 1960 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys 09:48:14.0920 1960 KSecDD - ok 09:48:14.0966 1960 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll 09:48:14.0966 1960 lanmanserver - ok 09:48:15.0013 1960 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll 09:48:15.0029 1960 lanmanworkstation - ok 09:48:15.0029 1960 lbrtfdc - ok 09:48:15.0076 1960 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll 09:48:15.0076 1960 LmHosts - ok 09:48:15.0123 1960 [ 500D089CE760D83DA2B6CBA681AA9949 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys 09:48:15.0123 1960 MBAMProtector - ok 09:48:15.0154 1960 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe 09:48:15.0154 1960 MBAMScheduler - ok 09:48:15.0185 1960 [ 20E2469DB709FC675E655CEAA11BE312 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 09:48:15.0185 1960 MBAMService - ok 09:48:15.0216 1960 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll 09:48:15.0216 1960 Messenger - ok 09:48:15.0248 1960 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys 09:48:15.0248 1960 mnmdd - ok 09:48:15.0279 1960 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe 09:48:15.0279 1960 mnmsrvc - ok 09:48:15.0310 1960 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys 09:48:15.0326 1960 Modem - ok 09:48:15.0341 1960 [ C7D9F9717916B34C1B00DD4834AF485C ] Monfilt C:\WINDOWS\system32\drivers\Monfilt.sys 09:48:15.0373 1960 Monfilt - ok 09:48:15.0404 1960 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys 09:48:15.0404 1960 Mouclass - ok 09:48:15.0451 1960 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys 09:48:15.0451 1960 mouhid - ok 09:48:15.0451 1960 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys 09:48:15.0451 1960 MountMgr - ok 09:48:15.0482 1960 [ 8C7336950F1E69CDFD811CBBD9CF00A2 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe 09:48:15.0482 1960 MozillaMaintenance - ok 09:48:15.0498 1960 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys 09:48:15.0498 1960 MpFilter - ok 09:48:15.0498 1960 mraid35x - ok 09:48:15.0529 1960 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys 09:48:15.0529 1960 MRxDAV - ok 09:48:15.0560 1960 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 09:48:15.0576 1960 MRxSmb - ok 09:48:15.0623 1960 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe 09:48:15.0623 1960 MSDTC - ok 09:48:15.0623 1960 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys 09:48:15.0623 1960 Msfs - ok 09:48:15.0623 1960 MSIServer - ok 09:48:15.0670 1960 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys 09:48:15.0670 1960 MSKSSRV - ok 09:48:15.0716 1960 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe 09:48:15.0716 1960 MsMpSvc - ok 09:48:15.0732 1960 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys 09:48:15.0732 1960 MSPCLOCK - ok 09:48:15.0732 1960 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys 09:48:15.0748 1960 MSPQM - ok 09:48:15.0763 1960 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys 09:48:15.0779 1960 mssmbios - ok 09:48:15.0795 1960 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys 09:48:15.0795 1960 Mup - ok 09:48:15.0826 1960 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll 09:48:15.0826 1960 napagent - ok 09:48:15.0857 1960 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys 09:48:15.0857 1960 NDIS - ok 09:48:15.0904 1960 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys 09:48:15.0904 1960 NdisTapi - ok 09:48:15.0904 1960 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys 09:48:15.0904 1960 Ndisuio - ok 09:48:15.0904 1960 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys 09:48:15.0920 1960 NdisWan - ok 09:48:15.0966 1960 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys 09:48:15.0966 1960 NDProxy - ok 09:48:15.0966 1960 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys 09:48:15.0966 1960 NetBIOS - ok 09:48:15.0998 1960 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys 09:48:15.0998 1960 NetBT - ok 09:48:16.0029 1960 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe 09:48:16.0045 1960 NetDDE - ok 09:48:16.0045 1960 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe 09:48:16.0045 1960 NetDDEdsdm - ok 09:48:16.0076 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe 09:48:16.0076 1960 Netlogon - ok 09:48:16.0138 1960 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll 09:48:16.0138 1960 Netman - ok 09:48:16.0185 1960 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe 09:48:16.0201 1960 NetTcpPortSharing - ok 09:48:16.0216 1960 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll 09:48:16.0216 1960 Nla - ok 09:48:16.0216 1960 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys 09:48:16.0216 1960 Npfs - ok 09:48:16.0232 1960 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys 09:48:16.0248 1960 Ntfs - ok 09:48:16.0248 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe 09:48:16.0248 1960 NtLmSsp - ok 09:48:16.0279 1960 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll 09:48:16.0279 1960 NtmsSvc - ok 09:48:16.0310 1960 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys 09:48:16.0310 1960 Null - ok 09:48:16.0529 1960 [ 4B54DCD6ADEE535DF80F07C59DDD8F14 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 09:48:16.0716 1960 nv - ok 09:48:16.0763 1960 [ C61927D27B75ED56723F2508F1A6B1BE ] NVENETFD C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 09:48:16.0763 1960 NVENETFD - ok 09:48:16.0763 1960 [ 52DCE3B30C9D61C8E20FE3C6DA4BDFB7 ] nvgts C:\WINDOWS\system32\DRIVERS\nvgts.sys 09:48:16.0763 1960 nvgts - ok 09:48:16.0810 1960 [ 6A839AC21ECDE8945D52007152F2695E ] NVHDA C:\WINDOWS\system32\drivers\nvhda32.sys 09:48:16.0810 1960 NVHDA - ok 09:48:16.0826 1960 [ C529B614EF88BE0F62B886C67B516550 ] nvnetbus C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 09:48:16.0826 1960 nvnetbus - ok 09:48:16.0826 1960 [ 0573C75A2895D973EA6EF2495620BA49 ] NVSvc C:\WINDOWS\system32\nvsvc32.exe 09:48:16.0841 1960 NVSvc - ok 09:48:16.0873 1960 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 09:48:16.0873 1960 NwlnkFlt - ok 09:48:16.0873 1960 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 09:48:16.0873 1960 NwlnkFwd - ok 09:48:16.0935 1960 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 09:48:16.0935 1960 ose - ok 09:48:16.0966 1960 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys 09:48:16.0966 1960 Parport - ok 09:48:16.0998 1960 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys 09:48:16.0998 1960 PartMgr - ok 09:48:17.0029 1960 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys 09:48:17.0029 1960 ParVdm - ok 09:48:17.0045 1960 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys 09:48:17.0045 1960 PCI - ok 09:48:17.0045 1960 PCIDump - ok 09:48:17.0045 1960 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys 09:48:17.0045 1960 PCIIde - ok 09:48:17.0076 1960 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys 09:48:17.0076 1960 Pcmcia - ok 09:48:17.0076 1960 PDCOMP - ok 09:48:17.0076 1960 PDFRAME - ok 09:48:17.0091 1960 PDRELI - ok 09:48:17.0091 1960 PDRFRAME - ok 09:48:17.0107 1960 perc2 - ok 09:48:17.0107 1960 perc2hib - ok 09:48:17.0154 1960 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe 09:48:17.0154 1960 PlugPlay - ok 09:48:17.0154 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe 09:48:17.0154 1960 PolicyAgent - ok 09:48:17.0185 1960 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys 09:48:17.0201 1960 PptpMiniport - ok 09:48:17.0201 1960 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys 09:48:17.0201 1960 Processor - ok 09:48:17.0201 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe 09:48:17.0201 1960 ProtectedStorage - ok 09:48:17.0201 1960 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys 09:48:17.0201 1960 PSched - ok 09:48:17.0232 1960 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys 09:48:17.0232 1960 Ptilink - ok 09:48:17.0232 1960 ql1080 - ok 09:48:17.0232 1960 Ql10wnt - ok 09:48:17.0248 1960 ql12160 - ok 09:48:17.0248 1960 ql1240 - ok 09:48:17.0248 1960 ql1280 - ok 09:48:17.0279 1960 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys 09:48:17.0279 1960 RasAcd - ok 09:48:17.0326 1960 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll 09:48:17.0326 1960 RasAuto - ok 09:48:17.0341 1960 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 09:48:17.0341 1960 Rasl2tp - ok 09:48:17.0388 1960 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll 09:48:17.0388 1960 RasMan - ok 09:48:17.0388 1960 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys 09:48:17.0388 1960 RasPppoe - ok 09:48:17.0404 1960 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys 09:48:17.0404 1960 Raspti - ok 09:48:17.0404 1960 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys 09:48:17.0404 1960 Rdbss - ok 09:48:17.0404 1960 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 09:48:17.0404 1960 RDPCDD - ok 09:48:17.0435 1960 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys 09:48:17.0435 1960 rdpdr - ok 09:48:17.0466 1960 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys 09:48:17.0466 1960 RDPWD - ok 09:48:17.0482 1960 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe 09:48:17.0482 1960 RDSessMgr - ok 09:48:17.0513 1960 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys 09:48:17.0513 1960 redbook - ok 09:48:17.0529 1960 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll 09:48:17.0529 1960 RemoteAccess - ok 09:48:17.0560 1960 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll 09:48:17.0560 1960 RemoteRegistry - ok 09:48:17.0560 1960 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe 09:48:17.0560 1960 RpcLocator - ok 09:48:17.0576 1960 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll 09:48:17.0591 1960 RpcSs - ok 09:48:17.0607 1960 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe 09:48:17.0623 1960 RSVP - ok 09:48:17.0654 1960 [ 581E74880AEB1DBA1CB5AC8E6E6C0A69 ] RT61 C:\WINDOWS\system32\DRIVERS\RT61.sys 09:48:17.0654 1960 RT61 - ok 09:48:17.0685 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe 09:48:17.0685 1960 SamSs - ok 09:48:17.0685 1960 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe 09:48:17.0685 1960 SCardSvr - ok 09:48:17.0685 1960 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll 09:48:17.0701 1960 Schedule - ok 09:48:17.0732 1960 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys 09:48:17.0732 1960 Secdrv - ok 09:48:17.0732 1960 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll 09:48:17.0732 1960 seclogon - ok 09:48:17.0732 1960 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll 09:48:17.0732 1960 SENS - ok 09:48:17.0748 1960 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys 09:48:17.0763 1960 serenum - ok 09:48:17.0763 1960 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys 09:48:17.0763 1960 Serial - ok 09:48:17.0795 1960 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys 09:48:17.0795 1960 Sfloppy - ok 09:48:17.0841 1960 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll 09:48:17.0841 1960 SharedAccess - ok 09:48:17.0857 1960 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll 09:48:17.0857 1960 ShellHWDetection - ok 09:48:17.0857 1960 Simbad - ok 09:48:17.0857 1960 Sparrow - ok 09:48:17.0904 1960 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys 09:48:17.0904 1960 splitter - ok 09:48:17.0935 1960 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe 09:48:17.0935 1960 Spooler - ok 09:48:17.0966 1960 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys 09:48:17.0966 1960 sr - ok 09:48:17.0966 1960 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll 09:48:17.0966 1960 srservice - ok 09:48:18.0013 1960 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys 09:48:18.0013 1960 Srv - ok 09:48:18.0029 1960 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll 09:48:18.0029 1960 SSDPSRV - ok 09:48:18.0045 1960 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll 09:48:18.0045 1960 stisvc - ok 09:48:18.0076 1960 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys 09:48:18.0076 1960 swenum - ok 09:48:18.0091 1960 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys 09:48:18.0091 1960 swmidi - ok 09:48:18.0091 1960 SwPrv - ok 09:48:18.0107 1960 symc810 - ok 09:48:18.0107 1960 symc8xx - ok 09:48:18.0107 1960 sym_hi - ok 09:48:18.0107 1960 sym_u3 - ok 09:48:18.0123 1960 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys 09:48:18.0123 1960 sysaudio - ok 09:48:18.0138 1960 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe 09:48:18.0138 1960 SysmonLog - ok 09:48:18.0170 1960 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll 09:48:18.0170 1960 TapiSrv - ok 09:48:18.0216 1960 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys 09:48:18.0216 1960 Tcpip - ok 09:48:18.0232 1960 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys 09:48:18.0232 1960 TDPIPE - ok 09:48:18.0263 1960 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys 09:48:18.0263 1960 TDTCP - ok 09:48:18.0263 1960 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys 09:48:18.0279 1960 TermDD - ok 09:48:18.0295 1960 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll 09:48:18.0295 1960 TermService - ok 09:48:18.0310 1960 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll 09:48:18.0310 1960 Themes - ok 09:48:18.0357 1960 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe 09:48:18.0357 1960 TlntSvr - ok 09:48:18.0373 1960 TosIde - ok 09:48:18.0388 1960 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll 09:48:18.0404 1960 TrkWks - ok 09:48:18.0435 1960 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys 09:48:18.0435 1960 Udfs - ok 09:48:18.0435 1960 ultra - ok 09:48:18.0466 1960 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys 09:48:18.0466 1960 Update - ok 09:48:18.0482 1960 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll 09:48:18.0482 1960 upnphost - ok 09:48:18.0498 1960 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe 09:48:18.0513 1960 UPS - ok 09:48:18.0545 1960 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys 09:48:18.0545 1960 usbccgp - ok 09:48:18.0560 1960 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys 09:48:18.0560 1960 usbehci - ok 09:48:18.0591 1960 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys 09:48:18.0607 1960 usbhub - ok 09:48:18.0607 1960 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys 09:48:18.0607 1960 usbohci - ok 09:48:18.0654 1960 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys 09:48:18.0654 1960 usbprint - ok 09:48:18.0685 1960 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys 09:48:18.0685 1960 usbscan - ok 09:48:18.0701 1960 [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 09:48:18.0701 1960 usbstor - ok 09:48:18.0732 1960 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys 09:48:18.0732 1960 VgaSave - ok 09:48:18.0763 1960 ViaIde - ok 09:48:18.0795 1960 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys 09:48:18.0795 1960 VolSnap - ok 09:48:18.0795 1960 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe 09:48:18.0810 1960 VSS - ok 09:48:18.0810 1960 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll 09:48:18.0810 1960 W32Time - ok 09:48:18.0857 1960 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys 09:48:18.0857 1960 Wanarp - ok 09:48:18.0857 1960 WDICA - ok 09:48:18.0873 1960 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys 09:48:18.0873 1960 wdmaud - ok 09:48:18.0888 1960 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll 09:48:18.0888 1960 WebClient - ok 09:48:18.0966 1960 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll 09:48:18.0982 1960 winmgmt - ok 09:48:19.0013 1960 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll 09:48:19.0013 1960 WmdmPmSN - ok 09:48:19.0029 1960 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll 09:48:19.0045 1960 Wmi - ok 09:48:19.0060 1960 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe 09:48:19.0060 1960 WmiApSrv - ok 09:48:19.0154 1960 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe 09:48:19.0170 1960 WMPNetworkSvc - ok 09:48:19.0216 1960 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe 09:48:19.0216 1960 WPFFontCache_v0400 - ok 09:48:19.0263 1960 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys 09:48:19.0263 1960 WS2IFSL - ok 09:48:19.0310 1960 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll 09:48:19.0310 1960 wscsvc - ok 09:48:19.0326 1960 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll 09:48:19.0326 1960 wuauserv - ok 09:48:19.0341 1960 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys 09:48:19.0357 1960 WudfPf - ok 09:48:19.0357 1960 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys 09:48:19.0373 1960 WudfRd - ok 09:48:19.0373 1960 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll 09:48:19.0388 1960 WudfSvc - ok 09:48:19.0420 1960 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll 09:48:19.0435 1960 WZCSVC - ok 09:48:19.0451 1960 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll 09:48:19.0466 1960 xmlprov - ok 09:48:19.0466 1960 ================ Scan global =============================== 09:48:19.0498 1960 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll 09:48:19.0545 1960 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll 09:48:19.0560 1960 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll 09:48:19.0560 1960 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe 09:48:19.0576 1960 [Global] - ok 09:48:19.0576 1960 ================ Scan MBR ================================== 09:48:19.0591 1960 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0 09:48:19.0748 1960 \Device\Harddisk0\DR0 - ok 09:48:19.0748 1960 ================ Scan VBR ================================== 09:48:19.0748 1960 [ CB8236C74349282F7A3150DC09BB2861 ] \Device\Harddisk0\DR0\Partition1 09:48:19.0748 1960 \Device\Harddisk0\DR0\Partition1 - ok 09:48:19.0748 1960 ============================================================ 09:48:19.0748 1960 Scan finished 09:48:19.0748 1960 ============================================================ 09:48:19.0763 0856 Detected object count: 0 09:48:19.0763 0856 Actual detected object count: 0 09:48:57.0935 3236 Deinitialize success --- aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2012-12-21 16:52:51 ----------------------------- 16:52:51.812 OS Version: Windows 5.1.2600 Service Pack 3 16:52:51.812 Number of processors: 2 586 0x603 16:52:51.812 ComputerName: HAYSEEDHOMEBASE UserName: Tom 16:52:52.812 Initialize success 16:53:06.859 AVAST engine defs: 12122101 16:53:13.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port0Path0Target0Lun0 16:53:13.203 Disk 0 Vendor: ST350041 JC45 Size: 476940MB BusType: 3 16:53:13.218 Disk 0 MBR read successfully 16:53:13.218 Disk 0 MBR scan 16:53:13.234 Disk 0 Windows XP default MBR code 16:53:13.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63 16:53:13.234 Disk 0 scanning sectors +976752000 16:53:13.296 Disk 0 scanning C:\WINDOWS\system32\drivers 16:53:20.156 Service scanning 16:53:34.265 Modules scanning 16:53:38.296 Disk 0 trace - called modules: 16:53:38.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys 16:53:38.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a85b030] 16:53:38.812 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000062[0x8a8ac630] 16:53:38.812 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port0Path0Target0Lun0[0x8a8ab030] 16:53:48.625 AVAST engine scan C:\WINDOWS 16:54:09.968 AVAST engine scan C:\WINDOWS\system32 16:56:37.828 AVAST engine scan C:\WINDOWS\system32\drivers 16:56:59.359 AVAST engine scan C:\Documents and Settings\Tom 17:22:48.125 AVAST engine scan C:\Documents and Settings\All Users 17:28:48.671 File: C:\Documents and Settings\All Users\Documents\Ham Radio\New Folder (2)\VXO\fast__auto.exe **INFECTED** Win32:Dropper-gen [Drp] 17:34:58.062 Scan finished successfully 18:56:57.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tom\Desktop\MBR.dat" 18:56:57.984 The log file has been saved successfully to "C:\Documents and Settings\Tom\Desktop\aswMBR.txt" Thanks, Tom

Didn't have any problems at all, it loaded the console okay, but the computer's symptoms haven't changed, i.e. the legitimate search engines are still being redirected to newsbusters, livesearchnow, scour - maybe more. About a week ago, the computer had mocaflix, but I thought the MBAM got rid of it. It hasn't been around for a few days - I wonder if it dropped the stuff that we're seeing now. Also, when I went to disable Windows Essentials before this last scan, the WE console came up for less than a second. It was red with a red "X", then it disappeared. The icon in the tray on the lower right came on red also. It stayed on for about two seconds then disappeared, too. Here's the Combofix log: ComboFix 12-12-20.02 - Tom 12/20/2012 19:13:02.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2027 [GMT -6:00] Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Tom\Recent\Thumbs.db C:\Thumbs.db c:\windows\EventSystem.log c:\windows\system32\dllcache\wmpvis.dll c:\windows\system32\drivers\etc\hosts.ics c:\windows\system32\drivers\npf.sys c:\windows\system32\Packet.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\SET1903.tmp c:\windows\system32\SET1907.tmp c:\windows\system32\SET1908.tmp c:\windows\system32\SET1910.tmp c:\windows\system32\wpcap.dll c:\windows\XSxS . . ((((((((((((((((((((((((( Files Created from 2012-11-21 to 2012-12-21 ))))))))))))))))))))))))))))))) . . 2012-12-18 19:44 . 2012-12-18 19:44 -------- d-----w- c:\documents and settings\Administrator.HAYSEEDHOMEBASE 2012-12-18 19:10 . 2012-12-18 19:10 -------- d-----w- C:\TDSSKiller_Quarantine 2012-12-15 15:20 . 2012-12-15 15:20 135168 --sha-r- c:\windows\system32\lfjbguw.dll 2012-12-14 23:19 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF29CA5B-C78A-4138-920B-72FFB227853F}\mpengine.dll 2012-12-14 22:20 . 2012-12-14 22:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Deployment 2012-12-13 18:32 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes 2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-12-12 18:15 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-12-11 18:18 . 2011-12-12 23:43 1034240 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys 2012-12-11 18:18 . 2010-02-03 17:21 89088 ----a-w- c:\windows\system32\ATL71.DLL . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-12-12 09:16 . 2012-04-15 01:39 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-12-12 09:16 . 2011-05-29 02:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-11-13 01:25 . 2003-03-31 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-06 00:41 . 2003-03-31 07:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-02 02:02 . 2003-03-31 07:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2003-03-31 07:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2003-03-31 07:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2003-03-31 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2011-05-23 07:33 385024 ------w- c:\windows\system32\html.iec 2012-10-02 18:04 . 2003-03-31 07:00 58368 ----a-w- c:\windows\system32\synceng.dll 2012-12-05 05:53 . 2012-12-05 05:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Radio365Agent"="c:\program files\Live365\Radio365\Radio365TrayAgent.exe" [2011-04-13 1003520] "RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2010-11-23 500992] "RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2010-11-23 38144] "Flashpaste"="c:\program files\Flashpaste\flashpaste.exe" [2011-04-17 643584] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408] "CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984] "CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-10-08 203072] "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976] "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-08-29 1061960] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Tom\Start Menu\Programs\Startup\ Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-4-29 1699840] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"= "c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"= "c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [5/27/2011 3:28 PM 218688] R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [4/9/2012 12:36 PM 125440] R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 4:38 PM 1373576] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/12/2012 12:15 PM 399432] R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [12/11/2012 12:18 PM 1034240] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/12/2012 12:15 PM 22856] S1 dcubamvg;dcubamvg;\??\c:\windows\system32\drivers\dcubamvg.sys --> c:\windows\system32\drivers\dcubamvg.sys [?] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/12/2012 12:15 PM 676936] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/23/2011 1:58 AM 1691480] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - TRUESIGHT *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2012-12-20 c:\windows\Tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-06-28 22:42] . 2012-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06] . 2012-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job - c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06] . 2012-12-20 c:\windows\Tasks\Wnorzxwzl.job - c:\windows\system32\lfjbguw.dll [2012-12-15 15:20] . 2012-12-21 c:\windows\Tasks\WpsUpdateTask_Tom.job - c:\program files\Kingsoft\Kingsoft Spreadsheets\office6\wpsupdate.exe [2011-11-03 16:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\ FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - about:home FF - ExtSQL: 2012-12-12 08:01; firebug@software.joehewitt.com; c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions\firebug@software.joehewitt.com.xpi FF - ExtSQL: !HIDDEN! 2011-05-27 14:59; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 . - - - - ORPHANS REMOVED - - - - . WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file) HKCU-Run-AdobeBridge - (no file) HKLM-Run-SwitchBoard - c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe SafeBoot-92853170.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-12-20 19:16 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Completion time: 2012-12-20 19:18:05 ComboFix-quarantined-files.txt 2012-12-21 01:18 . Pre-Run: 441,456,492,544 bytes free Post-Run: 445,146,615,808 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot Loader] Timeout=2 Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\ [Operating Systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\="Microsoft Windows" /fastdetect /NoExecute=OptIn . - - End Of File - - 23C41C17A389ABAA591B33FFE6DF421E Thanks, Tom

Hi, Gringo. Thanks for the quick reply. I am still getting redirects- newsbuster, scour, etc. Here's my logs: Results of screen317's Security Check version 0.99.56 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.65.1.1000 Java 6 Update 22 Java 6 Update 35 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 11.5.502.135 Adobe Reader 10.1.4 Adobe Reader out of Date! Mozilla Firefox (17.0.1) Mozilla Thunderbird (5.0). Thunderbird out of Date! ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` # AdwCleaner v2.101 - Logfile created 12/20/2012 at 15:12:01 # Updated 16/12/2012 by Xplode # Operating system : Microsoft Windows XP Service Pack 3 (32 bits) # User : Tom - HAYSEEDHOMEBASE # Boot Mode : Normal # Running from : C:\Documents and Settings\Tom\My Documents\Downloads\AdwCleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Deleted on reboot : C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kincjchfokkeneeofpeefomkikfkiedl Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium Folder Deleted : C:\Documents and Settings\All Users\Application Data\SaveAs ***** [Registry] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F3FEE66E-E034-436A-86E4-9690573BEE8A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A} Key Deleted : HKLM\Software\Freeze.com Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE} ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.6001.18702 Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.mocaflix.com/ --> hxxp://www.google.com Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.mocaflix.com/ --> hxxp://www.google.com -\\ Mozilla Firefox v17.0.1 (en-US) Profile name : default File : C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\prefs.js Deleted : user_pref("aol_toolbar.default.homepage.check", false); Deleted : user_pref("aol_toolbar.default.search.check", false); Deleted : user_pref("browser.search.defaultenginename", "WebSearch"); Deleted : user_pref("browser.search.defaultenginename,S", "WebSearch"); Deleted : user_pref("browser.search.defaulturl", "hxxp://websearch.mocaflix.com/?l=1&q="); Deleted : user_pref("browser.search.order.1", "WebSearch"); Deleted : user_pref("browser.search.order.1,S", "WebSearch"); Deleted : user_pref("browser.search.selectedEngine,S", "WebSearch"); Deleted : user_pref("extensions.50b8f6939d95e.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...] Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0); Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0); Deleted : user_pref("keyword.URL", "hxxp://websearch.mocaflix.com/?l=1&q="); Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", ""); Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", ""); Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", ""); Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", ""); Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", ""); Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", ""); Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", ""); Deleted : user_pref("sweetim.toolbar.searchguard.enable", ""); Profile name : default File : C:\Documents and Settings\Administrator.HAYSEEDHOMEBASE\Application Data\Mozilla\Firefox\Profiles\tslijr5u.default\prefs.js [OK] File is clean. -\\ Google Chrome v23.0.1271.97 File : C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences [OK] File is clean. ************************* AdwCleaner[R1].txt - [3835 octets] - [20/12/2012 15:09:56] AdwCleaner[s1].txt - [3750 octets] - [20/12/2012 15:12:01] ########## EOF - C:\AdwCleaner[s1].txt - [3810 octets] ########## RogueKiller V8.4.0 [Dec 20 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Tom [Admin rights] Mode : Remove -- Date : 12/20/2012 15:22:48 ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] GoogleCrashHandler.exe -- C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][sUSP PATH] HKUS\.DEFAULT[...]\Run : Bifröst II on HAYSEEDHOMEBASE (from HAYSEEDMOBILE) (C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHEA.EXE /FU "C:\WINDOWS\TEMP\E_S67D.tmp" /EF "HKCU") -> DELETED [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1) [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST350041 3AS SCSI Disk Device +++++ --- User --- [MBR] d391c0715b9607c37bc8bfe68b54cb65 [bSP] d798585473137686660b7b42e1787804 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[2]_D_12202012_02d1522.txt >> RKreport[1]_S_12202012_02d1522.txt ; RKreport[2]_D_12202012_02d1522.txt Thanks, Tom