de_novo

Wnen I reboot I do get an error: --------------------------- ccApp.exe - Unable To Locate Component --------------------------- This application has failed to start because ccL40.dll was not found. Re-installing the application may fix this problem. --------------------------- OK ---------------------------

Everything seems fine. Have no messages from SEP. I see no unusual things running. What about Acrobat 6 Pro? Does it have too many security holes? Was any software uninstalled or deleted by ComboFix? Roxio seems to be working. Not sure why I have the Richo RMClient stuff running. I don't recall having Richo printers. Have very large 100 PPM Canon and Toshiba's that may have purchased Richo product. An off topic question: The machine from which I am posting this, and on the same network, is getting a SEP popup at times of "[sID 20495] FTP MS IIS Status DoS Detected". The logs show its from 0.0.0.0., i.e. not traceable. I do have IIS and SQL running for doing VS dev, but haven't done any in a long time . The FTP and SMTP servers are not running. I am on a network with 20 other PC's so it is possible its one of them. I am behind a NAT Router. I don't have MBAM installed, but do have a license. Installing that would be my next step. Wondering if it is safe to run TDDSKiller and MBER to see if any TD or BootRec infections?

I ran the script. It rebooted then opened the log. \\\\\\\\\\\\\\\\\\\ ComboFix Log \\\\\\\\\\\\\\\\\\\ ComboFix 10-07-06.02 - Earl 07/06/2010 17:46:44.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1520 [GMT -5:00] Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Earl\Desktop\CFScript.txt AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 ))))))))))))))))))))))))))))))) . 2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared 2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic 2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio 2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX 2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes 2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-06 21:33 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus 2010-07-06 21:33 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll 2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM 2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio 2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio 2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared 2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat 2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys 2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec 2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll . <pre> c:\program files\Spybot - Search & Destroy\TeaTimer .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024] "POINTER"="point32.exe" [N/A] "Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 868352] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488] "Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A] c:\documents and settings\All Users\Start Menu\Programs\Startup\ SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe "MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup "NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056] R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952] R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888] . Contents of the 'Scheduled Tasks' folder 2010-07-02 c:\windows\Tasks\diskspacecheck.job - e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16] 2009-04-17 c:\windows\Tasks\getecf320 Train.job - d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40] 2009-04-17 c:\windows\Tasks\getecf320.job - d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40] 2010-07-06 c:\windows\Tasks\Internet Explorer.job - c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09] 2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31] 2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 10:31] . . ------- Supplementary Scan ------- . uStart Page = file:///C:/MyHomePage.htm mSearch Bar = hxxp://www.google.com/ uSearchAssistant = about:blank uSearchURL,(Default) = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: uscourts.gov DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-06 17:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005) @Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005) @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1164) c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll - - - - - - - > 'explorer.exe'(2808) c:\windows\system32\WININET.dll c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll . ------------------------ Other Running Processes ------------------------ . e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\SYSTEM32\GEARSEC.EXE c:\program files\Expertcity\GoToMyPC\g2svc.exe c:\program files\Expertcity\GoToMyPC\g2comm.exe c:\program files\Expertcity\GoToMyPC\g2pre.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\program files\Expertcity\GoToMyPC\g2tray.exe c:\windows\system32\wdfmgr.exe c:\windows\System32\MsPMSPSv.exe c:\windows\system32\wscntfy.exe e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\SOUNDMAN.EXE c:\program files\Microsoft Hardware\Mouse\point32.exe c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe c:\program files\RDS\RMClient\PMCTray.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe . ************************************************************************** . Completion time: 2010-07-06 18:02:15 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-06 23:02 ComboFix2.txt 2010-07-06 21:47 ComboFix3.txt 2010-07-06 18:17 Pre-Run: 4,649,140,224 bytes free Post-Run: 4,627,718,144 bytes free - - End Of File - - C29D2428B27F871AF084DCE73A817944

Downloaded new ComboFix.exe named it ComboFix.exe and put it on my Desktop Dragged and dropped above CFScript.txt onto it. CF ran, then without asking rebooted and opened the log. Here it is..... \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ComboFix 10-07-06.02 - Earl 07/06/2010 16:33:51.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1516 [GMT -5:00] Running from: c:\documents and settings\Earl\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Earl\Desktop\CFScript.txt AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 ))))))))))))))))))))))))))))))) . 2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared 2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic 2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio 2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX 2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes 2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-06 21:33 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus 2010-07-06 21:33 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll 2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM 2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio 2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio 2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared 2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat 2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys 2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec 2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll . <pre> c:\program files\Spybot - Search & Destroy\TeaTimer .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024] "POINTER"="point32.exe" [N/A] "Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 868352] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488] "Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A] c:\documents and settings\All Users\Start Menu\Programs\Startup\ SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe "MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup "NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056] R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952] R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888] . Contents of the 'Scheduled Tasks' folder 2010-07-02 c:\windows\Tasks\diskspacecheck.job - e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16] 2009-04-17 c:\windows\Tasks\getecf320 Train.job - d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40] 2009-04-17 c:\windows\Tasks\getecf320.job - d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40] 2010-07-06 c:\windows\Tasks\Internet Explorer.job - c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09] 2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31] 2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 10:31] . . ------- Supplementary Scan ------- . uStart Page = file:///C:/MyHomePage.htm mSearch Bar = hxxp://www.google.com/ uSearchAssistant = about:blank uSearchURL,(Default) = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: uscourts.gov DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-06 16:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005) @Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005) @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1172) c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll - - - - - - - > 'explorer.exe'(3928) c:\windows\system32\WININET.dll c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll . ------------------------ Other Running Processes ------------------------ . e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\SYSTEM32\GEARSEC.EXE c:\program files\Expertcity\GoToMyPC\g2svc.exe c:\program files\Expertcity\GoToMyPC\g2comm.exe c:\program files\Expertcity\GoToMyPC\g2pre.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\windows\system32\wdfmgr.exe c:\windows\System32\MsPMSPSv.exe c:\program files\Expertcity\GoToMyPC\g2tray.exe c:\windows\system32\wscntfy.exe e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\SOUNDMAN.EXE c:\program files\Microsoft Hardware\Mouse\point32.exe c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe c:\program files\RDS\RMClient\PMCTray.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe . ************************************************************************** . Completion time: 2010-07-06 16:47:48 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-06 21:47 ComboFix2.txt 2010-07-06 18:17 Pre-Run: 4,622,880,768 bytes free Post-Run: 4,634,267,648 bytes free - - End Of File - - 6CCCEDB750813412EC0C9144FEB86EC4

Based on your prior instructions my ComboFix is named Combo-Fix.exe When I dragged and dropped the CFscript.txt onto Combo-Fix.exe a message said a new version was available and asked me if I wanted to update. To be safe I answered NO. I am rebooting then will download ComboFix from your BC site and drop the script on it.

Per your instrux the combo fix log, also attached ComboFix 10-07-06.01 - Earl 07/06/2010 12:42:03.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1435 [GMT -5:00] Running from: c:\documents and settings\Earl\Desktop\Combo-Fix.exe AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\setup.exe c:\windows\patch.exe c:\windows\system32\gotomon.log c:\windows\xpsp1hfm.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FILEMON -------\Service_FILEMON ((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 ))))))))))))))))))))))))))))))) . 2010-06-25 20:14 . 2010-06-25 20:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Roxio 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Sonic 2010-06-25 18:12 . 2010-06-25 18:12 -------- d-----w- c:\program files\Common Files\Sonic Shared 2010-06-25 18:11 . 2010-06-25 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic 2010-06-25 18:10 . 2010-06-25 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio 2010-06-25 18:10 . 2010-06-25 18:10 -------- d-----w- c:\program files\DivX 2010-06-24 20:42 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\Earl\Application Data\Malwarebytes 2010-06-24 14:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-24 14:59 . 2010-06-24 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-24 14:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 20:44 . 2010-06-03 00:59 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-06-21 20:42 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-06-21 20:42 . 2010-06-21 20:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-21 20:42 . 2010-06-21 20:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-06-21 15:29 . 2010-06-21 15:29 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-06-16 07:13 . 2010-06-16 07:13 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-06 17:44 . 2002-08-29 12:00 577536 ----a-w- c:\windows\system32\user32.dll 2010-07-01 23:32 . 2004-08-12 21:22 48424 ----a-w- c:\documents and settings\Earl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-07-01 18:51 . 2004-08-03 20:28 -------- d-----w- c:\documents and settings\Earl\Application Data\AdobeUM 2010-06-25 22:47 . 2004-08-03 20:15 -------- d-----w- c:\documents and settings\Earl\Application Data\Roxio 2010-06-25 18:12 . 2004-07-28 12:05 -------- d-----w- c:\program files\Roxio 2010-06-25 18:12 . 2004-07-28 12:04 -------- d-----w- c:\program files\Common Files\Roxio Shared 2010-06-24 20:15 . 2010-06-16 07:06 112 ----a-w- c:\documents and settings\All Users\Application Data\q818282.dat 2010-06-24 18:58 . 2002-08-29 12:00 68224 ----a-w- c:\windows\system32\drivers\pci.sys 2010-06-21 20:44 . 2004-09-09 14:26 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-06-21 20:43 . 2004-08-17 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-06-21 20:42 . 2010-06-21 20:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-21 20:42 . 2010-06-21 20:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-21 20:42 . 2004-08-17 13:37 -------- d-----w- c:\program files\Symantec 2010-06-21 20:27 . 2008-01-03 21:57 -------- d-----w- c:\program files\Symantec AntiVirus 2010-06-21 16:50 . 2004-09-30 17:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-06-21 16:48 . 2004-09-07 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-06 10:41 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:56 . 2002-08-29 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:51 . 2002-08-29 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll . Infected c:\windows\system32\user32.dll hex repaired <pre> c:\program files\Common Files\Roxio Shared\System\EngUtil .exe c:\program files\Common Files\Symantec Shared\ccApp .exe c:\program files\RDS\RMClient\JobHisInit .exe c:\program files\RDS\RMClient\MplSetUp .exe c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon .exe c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc .exe c:\program files\Spybot - Search & Destroy\TeaTimer .exe c:\program files\Symantec AntiVirus\VPTray .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024] "POINTER"="point32.exe" [N/A] "Matrox PowerDesk 8"="c:\windows\System32\PowerDesk8\Matrox.PowerDesk.exe" [2004-06-10 90112] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [N/A] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [N/A] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [N/A] "Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A] c:\documents and settings\All Users\Start Menu\Programs\Startup\ SmartDeviceMonitor for Client.lnk - c:\program files\RDS\RMClient\PMClient.exe [2009-9-10 495616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 2009-12-16 00:13 15216 ----a-w- c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "EPSON Stylus Photo R2400"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE /FU "c:\windows\TEMP\E_S116.tmp" /EF "HKCU" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "JobHisInit"=c:\program files\RDS\RMClient\JobHisInit.exe "MplSetUp"=c:\program files\RDS\RMClient\MplSetUp.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "NvCplDaemon"=RUNDLL32.EXE c:\windows\System32\NvCpl.dll,NvStartup "NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NvMcTray.dll,NvTaskbarInit "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "e:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "e:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [1/7/2003 4:01 AM 77056] R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 9:59 AM 304464] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 3:47 PM 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 9:59 AM 20952] R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [6/10/2004 3:46 PM 465280] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888] . Contents of the 'Scheduled Tasks' folder 2010-07-02 c:\windows\Tasks\diskspacecheck.job - e:\Earl\DiskFreeSpace\DiskSpaceCheck\diskspacecheck.exe [2009-07-15 14:16] 2009-04-17 c:\windows\Tasks\getecf320 Train.job - d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40] 2009-04-17 c:\windows\Tasks\getecf320.job - d:\dev5\GetECFLogin\Get320\getecf320.exe [2008-05-13 12:40] 2010-07-06 c:\windows\Tasks\Internet Explorer.job - c:\progra~1\INTERN~1\iexplore.exe [2004-05-03 20:09] 2004-09-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2004-05-12 20:31] 2010-07-06 c:\windows\Tasks\User_Feed_Synchronization-{72469434-CA1D-442C-A963-92B52CFDD63A}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 10:31] . . ------- Supplementary Scan ------- . uStart Page = file:///C:/MyHomePage.htm mSearch Bar = hxxp://www.google.com/ uSearchAssistant = about:blank uSearchURL,(Default) = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: uscourts.gov DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . . ------- File Associations ------- . .txt=UltraEdit.txt . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - g:\eudora\EuShlExt.dll Notify-NavLogon - (no file) SafeBoot-klmdb.sys SafeBoot-Symantec Antvirus AddRemove-{E2FDE250-942F-11DC-6784-0AD028DD18BE} - e:\clarion.net\Uninst_Clarion.Net ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-06 13:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,5d,05,95,43,50,e2,45,96,e0,5e,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,5d,05,95,43,50,e2,45,96,e0,5e,\ [HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-1234729769-739792919-2267824289-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005) @Allowed: (Read) (S-1-5-21-1234729769-739792919-2267824289-1005) @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1164) c:\program files\Expertcity\GoToMyPC\G2WinLogon.dll - - - - - - - > 'explorer.exe'(1060) c:\windows\system32\WININET.dll c:\windows\System32\PowerDesk8\Matrox.PowerDesk.Hooks.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll . ------------------------ Other Running Processes ------------------------ . e:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\windows\SYSTEM32\GEARSEC.EXE c:\program files\Expertcity\GoToMyPC\g2svc.exe c:\program files\Expertcity\GoToMyPC\g2comm.exe c:\program files\Expertcity\GoToMyPC\g2pre.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe e:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\program files\Expertcity\GoToMyPC\g2tray.exe c:\windows\system32\wdfmgr.exe c:\windows\System32\MsPMSPSv.exe e:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\SOUNDMAN.EXE c:\program files\Microsoft Hardware\Mouse\point32.exe c:\windows\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe c:\program files\RDS\RMClient\PMCTray.exe . ************************************************************************** . Completion time: 2010-07-06 13:17:28 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-06 18:17 Pre-Run: 4,211,265,536 bytes free Post-Run: 4,635,172,864 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - C365D19D8025EB401E743151D7ECE310 combo_fix_log.txt

I did as you requested. Zipped Attach.txt attached. Will I be able to reinstall Acrobat 6? Last week after a Windows Update and Reboot the AppData EXE was no longer running and the TidServ warnings had stopped. MBAM, that I just ran, found the old files and got rid of them. Before I did that today it seemed like IE 8 would frequently crash opening a new tab, and then recover and open it fine. One other oddity is I no longer see MalwareBytes in my tool tray, just the SEP icon. MBAM ran just fine for doing your tests. Orginally after I installed MBAM Thanks for all the Help! De Novo \\\\\\\\\\\\\\\\\\\\\\\\ mbam-log-2010-07-01 (18-57-22).txt \\\\\\\\\\\\\\\\\\\\\\\ Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4265 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 7/1/2010 6:57:22 PM mbam-log-2010-07-01 (18-57-22).txt Scan type: Quick scan Objects scanned: 212210 Time elapsed: 10 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 8 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\ca.cab (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{833622f9-1720-4071-851a-8a5730c33565} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a1f2b3fc-1fc0-4562-9e6e-3a66e5c703e9} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\ca.cab.1 (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\84jnbN3k.dll (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe__ (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe___ (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\3MThKEWF.ex_ (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\84jnbN3k_maybeVirus.dl_ (Trojan.SearchRedir.M) -> Quarantined and deleted successfully. \\ end \\\\\\\\\\\\\\\\\\\\\\ mbam-log-2010-07-01 (18-57-22).txt \\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\\\\\\\\\\\\\\\\ DDS.txt \\\\\\\\\\\\\\\\\\\\\\\ DDS (Ver_10-03-17.01) - NTFSx86 Run by Carl at 19:03:55.29 on Thu 07/01/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1510 [GMT -5:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\SYSTEM32\GEARSEC.EXE C:\Program Files\Expertcity\GoToMyPC\g2svc.exe C:\Program Files\Expertcity\GoToMyPC\g2comm.exe E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Expertcity\GoToMyPC\g2pre.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe C:\Program Files\Expertcity\GoToMyPC\g2tray.exe E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\RDS\RMClient\PMCTray.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe C:\Documents and Settings\Carl\Desktop\dee-dee-sssABCD.scr ============== Pseudo HJT Report =============== uStart Page = file:///C:/MyHomePage.htm uSearch Page = hxxp://www.google.com uSearch Bar = about:blank mSearch Bar = hxxp://www.google.com/ uSearchAssistant = about:blank uSearchURL,(Default) = hxxp://www.google.com/ mSearchAssistant = hxxp://www.google.com/ mCustomizeSearch = hxxp://www.google.com/ BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [POINTER] point32.exe mRun: [Matrox PowerDesk 8] c:\windows\system32\powerdesk8\Matrox.PowerDesk.exe /silent mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe" mRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe" mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe" mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe uPolicies-explorer: NoInstrumentation = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: uscourts.gov DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - g:\eudora\EuShlExt.dll Hosts: 127.0.0.1 www.spywareinfo.com ============= SERVICES / DRIVERS =============== R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-1-7 77056] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392] R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-24 304464] R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-24 20952] R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [2004-6-10 465280] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100630.032\NAVENG.SYS [2010-6-30 85552] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100630.032\NAVEX15.SYS [2010-6-30 1347504] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888] S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?] ============== File Associations =============== .txt=UltraEdit.txt =============== Created Last 30 ================ 2010-06-25 18:12:13 0 d-----w- c:\program files\Sonic 2010-06-25 18:12:06 0 d-----w- c:\program files\common files\Sonic Shared 2010-06-25 18:10:05 0 d-----w- c:\program files\DivX 2010-06-24 20:42:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-24 14:59:56 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes 2010-06-24 14:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-24 14:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-06-24 14:59:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-21 20:44:00 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-06-21 20:42:56 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-06-21 20:42:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-21 20:42:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-21 20:42:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-21 20:42:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-21 15:29:42 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-06-21 15:29:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-06-16 21:05:17 58368 ----a-w- c:\windows\system32\mkfheogm_maybeVirus.dl_ 2010-06-16 07:06:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\q818282.dat ==================== Find3M ==================== 2010-06-24 18:58:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys 2010-06-15 15:45:08 577536 ----a-w- c:\windows\system32\user32.DLL 2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-06 14:14:22 51787 ----a-w- c:\windows\fonts\AdobeFnt07.lst ============= FINISH: 19:04:39.17 =============== \\ end \\\\\\\\\\\\\\\\\\\\\\ DDS.txt \\\\\\\\\\\\\\\\\\\\\\\ Attach.Txt.zip

On return from vacation I noticed my machine was popping up webpages in IE, playing audio I didn't play. Web search showed it was TidServ. Attempts to fix have not worked. I uninstalled old Symantec and installed newest Symantec Endpoint Protection (SEP), updated and scanned. It did not find much, says Quarantined Cooper.Mine a Trojan.Gen Now I started getting messages about blocking "tidserv request ..." I noticed 3MThKEWF.EXE running in "C:\Doc & Setting\All Users\Application Data" It was dated about mid point of my vacation 6/16 at 2am, I think Renaming that caused it to just reappear. I installed MalwareBytes free, registered Pro, updated and ran a complete scan. The log is below (at bottom). It found Trojan.Downloader File Adware.ISTBar Spyware.Agent.H Disabled.SecurityCenter Now MalWB generates the warning popups about blocked access instead of SEP warnings. So I think I'm not fixed. On a fresh reboot opening the Symantec Endpoint Protection "View Network Activity" it shows net actvity by 3MThKEWF.EXE running in ...\All Users\Application Data IExplore.exe, but I did not run IExplore.exe and TaskMan shows the owner is SYSTEM. ntoskrnl.exe shows activity If I block all access by 3MThKEWF.EXE and IExplore.exe then I still get popups about blocked activity. Here some sound files play too. I ran TDSSKiller.exe. It found Drivers\PCI.Sys, said it fixed it and told me to reboot. So I did. Ran again and it found no problems. Log below. I'm not fixed. 3MThKEWF.EXE continues to exist and is running. Also IExplore for the SYSTEM user. MalWBytes still gives blocked messages I hear some sound files play, they seem to get cut off If I open IE (and unblock it in SEP) then I think I see it show some pages Things have improved, I can get to WindowsUpdate.Microsoft.com in IE. I have Easy CD & DVD Creator 6 asking me to insert the CD to install a feature, not usre why. On reboot I ran GMER with IAT/EAT unchecked, log below. I ran DDS, log below. I attached the Attach.txt zipped. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == DDS === \/\/\/\/\/\/\/\/\/\/\/\/ DDS (Ver_10-03-17.01) - NTFSx86 Run by Carl at 18:34:38.42 on Thu 06/24/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1150 [GMT -5:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs E:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\SYSTEM32\GEARSEC.EXE E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe E:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE E:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\WINDOWS\System32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\msiexec.exe C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe C:\Documents and Settings\All Users\Application Data\3MThKEWF.exe E:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Carl\Desktop\dee-dee-sssABCD.scr ============== Pseudo HJT Report =============== uStart Page = file:///C:/MyHomePage.htm uSearch Page = hxxp://www.google.com uSearch Bar = about:blank mSearch Bar = hxxp://www.google.com/ uSearchAssistant = about:blank uSearchURL,(Default) = hxxp://www.google.com/ mSearchAssistant = hxxp://www.google.com/ mCustomizeSearch = hxxp://www.google.com/ BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll BHO: CAB Class: {c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} - c:\windows\system32\84jnbN3k.dll BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe" mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe" mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe" mRun: [POINTER] point32.exe mRun: [Matrox PowerDesk 8] c:\windows\system32\powerdesk8\Matrox.PowerDesk.exe /silent mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartd~1.lnk - c:\program files\rds\rmclient\PMClient.exe uPolicies-explorer: NoInstrumentation = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: uscourts.gov DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Notify: GoToMyPC - c:\program files\expertcity\gotomypc\G2WinLogon.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - g:\eudora\EuShlExt.dll Hosts: 127.0.0.1 www.spywareinfo.com ============= SERVICES / DRIVERS =============== R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-1-7 77056] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392] R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-24 304464] R2 Symantec AntiVirus;Symantec Endpoint Protection;e:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-24 20952] R3 MTXPARH;MTXPARH;c:\windows\system32\drivers\MTXPARHM.sys [2004-6-10 465280] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100623.024\NAVENG.SYS [2010-6-23 85552] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100623.024\NAVEX15.SYS [2010-6-23 1347504] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888] S3 FILEMON;FILEMON;\??\c:\windows\system32\drivers\filem.sys --> c:\windows\system32\drivers\FILEM.SYS [?] ============== File Associations =============== .txt=UltraEdit.txt =============== Created Last 30 ================ 2010-06-24 20:15:46 45056 ----a-w- c:\windows\system32\84jnbN3k.dll 2010-06-24 14:59:56 0 d-----w- c:\docume~1\carl\applic~1\Malwarebytes 2010-06-24 14:59:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-24 14:59:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-06-24 14:59:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-24 12:39:29 70146 ----a-w- c:\docume~1\alluse~1\applic~1\3MThKEWF.exe 2010-06-21 20:44:00 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys 2010-06-21 20:42:56 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys 2010-06-21 20:42:41 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-21 20:42:41 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-21 20:42:41 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-21 20:42:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-21 15:29:42 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy) 2010-06-21 15:29:40 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy) 2010-06-16 21:05:17 58368 ----a-w- c:\windows\system32\mkfheogm_maybeVirus.dl_ 2010-06-16 07:06:48 45056 ----a-w- c:\windows\system32\84jnbN3k_maybeVirus.dl_ 2010-06-16 07:06:47 112 ----a-w- c:\docume~1\alluse~1\applic~1\q818282.dat ==================== Find3M ==================== 2010-06-24 18:58:26 68224 ----a-w- c:\windows\system32\drivers\pci.sys 2010-06-15 15:45:08 577536 ----a-w- c:\windows\system32\user32.DLL 2010-04-06 14:14:22 51787 ----a-w- c:\windows\fonts\AdobeFnt07.lst 2004-08-03 23:29:08 848 --sha-w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 18:35:03.39 =============== /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == GMER === \/\/\/\/\/\/\/\/\/\/\/\/ GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-24 18:26:37 Windows 5.1.2600 Service Pack 2 Running: g.mmm-e~r-random.exe; Driver: C:\DOCUME~1\Carl\LOCALS~1\Temp\pxddrpob.sys ---- System - GMER 1.0.15 ---- SSDT 89EFA738 ZwAlertResumeThread SSDT 89EFA660 ZwAlertThread SSDT 8A4123E0 ZwAllocateVirtualMemory SSDT 89FB3680 ZwConnectPort SSDT 89F79058 ZwCreateMutant SSDT 8A097B68 ZwCreateThread SSDT 89EEB8B0 ZwFreeVirtualMemory SSDT 89EFA9B8 ZwImpersonateAnonymousToken SSDT 89EFA810 ZwImpersonateThread SSDT 8A090170 ZwMapViewOfSection SSDT 89EFAB20 ZwOpenEvent SSDT 89EFA188 ZwOpenProcessToken SSDT 89D68280 ZwOpenThreadToken SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB4ACE880] SSDT 89EF9F50 ZwResumeThread SSDT 89EFA3D8 ZwSetContextThread SSDT 8A404DB8 ZwSetInformationProcess SSDT 8A4228E8 ZwSetInformationThread SSDT 89EFABF8 ZwSuspendProcess SSDT 89EFA588 ZwSuspendThread SSDT 89EFA0B0 ZwTerminateProcess SSDT 89EFA4B0 ZwTerminateThread SSDT 89EFA300 ZwUnmapViewOfSection SSDT 89DA7700 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2558 80501448 4 Bytes CALL BE9AC8F9 init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9C29900] ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs A78BF400 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\SoftwareDistribution\Download\dacaa269b99f2225391948b21cc85d90\WindowsXP-KB979559-x86-express-ENU.cab 262580 bytes File C:\WINDOWS\KB979559.log 4756 bytes File C:\WINDOWS\KB980218.log 4210 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BF5CE51F-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1D33F377-7FE0-11DF-80C9-00112F0FD8E3}.dat 0 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F9625F5B-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A1AC1C57-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DC00442D-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B81B9D41-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E35BC5E9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CDC07649-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{23893287-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8B69E81B-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0A11CF3-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{009C802B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3C518409-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EA95E6B9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{618B1B3B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{165B9311-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B3360815-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5531AD0F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C5EE3EB9-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BFB7FE3B-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D27C20A1-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6DEE12CF-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{08018B4F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{74291801-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{67B7D251-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F1D4CC3D-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D514D0F7-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{92AB2FF9-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{36226A99-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7DE51123-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{76888FE7-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{84594EC5-7FE1-11DF-80C9-00112F0FD8E3}.dat 0 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2FFA7837-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E55F4199-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5154BCE9-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{17FD4E57-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C669B941-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B7AC8E3B-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4AFF7DD9-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F2003651-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7CC39519-7FDF-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EBB21E4F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{80B4978F-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0F61D1BF-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{37D273FB-7FE1-11DF-80C9-00112F0FD8E3}.dat 4608 bytes File C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4287C487-7FE0-11DF-80C9-00112F0FD8E3}.dat 4608 bytes ---- EOF - GMER 1.0.15 ---- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == TDDSKiller === \/\/\/\/\/\/\/\/\/\/\/\/ 13:55:38:937 6048 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48 13:55:38:937 6048 ================================================================================ 13:55:38:937 6048 SystemInfo: 13:55:38:937 6048 OS Version: 5.1.2600 ServicePack: 2.0 13:55:38:937 6048 Product type: Workstation 13:55:38:937 6048 ComputerName: xxxx 13:55:38:937 6048 UserName: xxx 13:55:38:937 6048 Windows directory: C:\WINDOWS 13:55:38:937 6048 Processor architecture: Intel x86 13:55:38:937 6048 Number of processors: 1 13:55:38:937 6048 Page size: 0x1000 13:55:38:937 6048 Boot type: Normal boot 13:55:38:937 6048 ================================================================================ 13:55:39:203 6048 Initialize success 13:55:39:203 6048 13:55:39:203 6048 Scanning Services ... 13:55:39:250 6048 Raw services enum returned 345 services 13:55:39:250 6048 13:55:39:250 6048 Scanning Drivers ... 13:55:39:875 6048 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 13:55:39:953 6048 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 13:55:40:062 6048 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys 13:55:40:140 6048 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys 13:55:40:328 6048 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS 13:55:40:421 6048 ALCXWDM (9a6a99f0d75b457e3a2267776ebe9f47) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 13:55:40:562 6048 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 13:55:40:750 6048 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 13:55:40:812 6048 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 13:55:40:906 6048 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 13:55:40:984 6048 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 13:55:41:031 6048 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 13:55:41:093 6048 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 13:55:41:203 6048 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 13:55:41:234 6048 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 13:55:41:281 6048 Cdr4_xp (bb139f391a6bcc60c883ecc3709631b6) C:\WINDOWS\system32\drivers\Cdr4_xp.sys 13:55:41:328 6048 Cdralw2k (ccca51c4c556ef95312a4fa8012e8d49) C:\WINDOWS\system32\drivers\Cdralw2k.sys 13:55:41:359 6048 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 13:55:41:406 6048 cdudf_xp (6596a79656368e84e386d5810e2deb9c) C:\WINDOWS\system32\drivers\cdudf_xp.sys 13:55:41:531 6048 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys 13:55:41:656 6048 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 13:55:41:734 6048 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 13:55:41:796 6048 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 13:55:41:843 6048 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 13:55:41:890 6048 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 13:55:42:000 6048 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 13:55:42:046 6048 DVDVRRdr_xp (c90b9e655ae95d95a83855c9ee6ec561) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys 13:55:42:109 6048 dvd_2K (9f883d432e64f6f46fef27ddbaaca2b9) C:\WINDOWS\system32\drivers\dvd_2K.sys 13:55:42:156 6048 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 13:55:42:218 6048 EL2000 (25fe70646afe37801ab540b5d3b12cf9) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys 13:55:42:265 6048 ENTECH (bdd170fecb0e496a914318009d85b819) C:\WINDOWS\System32\DRIVERS\ENTECH.SYS 13:55:42:312 6048 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 13:55:42:375 6048 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 13:55:42:406 6048 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys 13:55:42:515 6048 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 13:55:42:578 6048 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 13:55:42:625 6048 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys 13:55:42:671 6048 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 13:55:42:703 6048 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 13:55:42:750 6048 gagp30kx (4216cd545e5c30807b560c5dcaa812e6) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys 13:55:42:796 6048 GEARAspiWDM (46f23cfc888b0a4397aae705c8af92af) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 13:55:42:843 6048 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 13:55:42:890 6048 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys 13:55:42:984 6048 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys 13:55:43:109 6048 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 13:55:43:140 6048 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 13:55:43:250 6048 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys 13:55:43:281 6048 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys 13:55:43:343 6048 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 13:55:43:375 6048 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 13:55:43:437 6048 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys 13:55:43:468 6048 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 13:55:43:515 6048 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 13:55:43:562 6048 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 13:55:43:609 6048 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 13:55:43:656 6048 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys 13:55:43:734 6048 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys 13:55:43:796 6048 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys 13:55:43:890 6048 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys 13:55:43:937 6048 mmc_2K (49e6197955269ae539b05e161adca0cf) C:\WINDOWS\system32\drivers\mmc_2K.sys 13:55:43:984 6048 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 13:55:44:046 6048 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 13:55:44:125 6048 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 13:55:44:171 6048 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 13:55:44:218 6048 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 13:55:44:296 6048 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 13:55:44:359 6048 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 13:55:44:390 6048 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 13:55:44:421 6048 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 13:55:44:468 6048 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 13:55:44:500 6048 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 13:55:44:546 6048 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 13:55:44:609 6048 MTXPARH (3b68ee6408a15ed198d4157341edb854) C:\WINDOWS\system32\DRIVERS\MTXPARHM.sys 13:55:44:640 6048 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 13:55:44:718 6048 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100623.024\NAVENG.SYS 13:55:44:750 6048 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100623.024\NAVEX15.SYS 13:55:44:796 6048 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 13:55:44:859 6048 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 13:55:44:890 6048 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 13:55:44:937 6048 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 13:55:44:984 6048 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 13:55:45:031 6048 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 13:55:45:078 6048 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 13:55:45:140 6048 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys 13:55:45:203 6048 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 13:55:45:281 6048 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys 13:55:45:328 6048 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 13:55:45:406 6048 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 13:55:45:484 6048 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 13:55:45:531 6048 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 13:55:45:578 6048 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 13:55:45:656 6048 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys 13:55:45:687 6048 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 13:55:45:750 6048 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 13:55:45:781 6048 PCI (18d9b9f58f233004377b9afc74f8742f) C:\WINDOWS\system32\DRIVERS\pci.sys 13:55:45:781 6048 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 18d9b9f58f233004377b9afc74f8742f, Fake md5: 8086d9979234b603ad5bc2f5d890b234 13:55:45:781 6048 File "C:\WINDOWS\system32\DRIVERS\pci.sys" infected by TDSS rootkit ... 13:55:46:125 6048 Backup copy found, using it.. 13:55:46:156 6048 will be cured on next reboot 13:55:46:296 6048 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys 13:55:46:609 6048 Point32 (08b11f5c60edca255b18cedef8efba2a) C:\WINDOWS\system32\DRIVERS\point32.sys 13:55:46:687 6048 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 13:55:46:734 6048 PQNTDrv (474543751522111dd7c0cf09e17f6d9f) C:\WINDOWS\system32\drivers\PQNTDrv.sys 13:55:46:781 6048 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys 13:55:46:828 6048 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 13:55:46:859 6048 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 13:55:46:890 6048 pwd_2k (eaf307b15592d2e423148422596e5c2e) C:\WINDOWS\system32\drivers\pwd_2k.sys 13:55:47:125 6048 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 13:55:47:171 6048 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 13:55:47:234 6048 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 13:55:47:265 6048 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 13:55:47:328 6048 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys 13:55:47:375 6048 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 13:55:47:437 6048 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 13:55:47:500 6048 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys 13:55:47:562 6048 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 13:55:47:640 6048 RT2500 (4cd0fc7949d175cf9138dae23ae440ad) C:\WINDOWS\system32\DRIVERS\RT2500.sys 13:55:47:734 6048 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 13:55:47:781 6048 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys 13:55:47:843 6048 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys 13:55:47:890 6048 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 13:55:48:015 6048 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 13:55:48:062 6048 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys 13:55:48:125 6048 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 13:55:48:171 6048 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS 13:55:48:265 6048 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS 13:55:48:312 6048 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS 13:55:48:390 6048 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys 13:55:48:468 6048 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 13:55:48:515 6048 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 13:55:48:625 6048 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 13:55:48:671 6048 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 13:55:48:750 6048 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS 13:55:48:890 6048 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 13:55:48:953 6048 SysPlant (1295b1da3e2a2c24c7d176f6e97afbd1) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys 13:55:49:015 6048 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys 13:55:49:062 6048 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 13:55:49:093 6048 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 13:55:49:140 6048 Teefer2 (1de2e1357552a79f39bff003a11c533e) C:\WINDOWS\system32\DRIVERS\teefer2.sys 13:55:49:171 6048 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 13:55:49:265 6048 UdfReadr_xp (228606878da45208d8b1beeffe4b6d0b) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys 13:55:49:312 6048 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 13:55:49:390 6048 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys 13:55:49:453 6048 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 13:55:49:484 6048 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 13:55:49:531 6048 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 13:55:49:578 6048 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 13:55:49:609 6048 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 13:55:49:656 6048 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys 13:55:49:703 6048 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys 13:55:49:734 6048 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\drivers\viasraid.sys 13:55:49:796 6048 vmm (b06bf9cd4f91f4afe3f433ea1b7a358c) C:\WINDOWS\System32\drivers\vmm.sys 13:55:49:859 6048 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 13:55:49:906 6048 VPCNetS2 (11f77458f5d3abd76747a628e0da2f6b) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys 13:55:49:968 6048 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 13:55:50:062 6048 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys 13:55:50:109 6048 WPS (c1620ebb375d3b02e31fd311c44fedeb) C:\WINDOWS\system32\drivers\wpsdrvnt.sys 13:55:50:187 6048 WpsHelper (a930c1d2a7d0cb01810c9912d101b83c) C:\WINDOWS\system32\drivers\WpsHelper.sys 13:55:50:250 6048 yukonwxp (a81a1f8c2a50f72fda9c686aa85bf151) C:\WINDOWS\system32\DRIVERS\yukonwxp.sys 13:55:50:265 6048 Reboot required for cure complete.. 13:55:50:281 6048 Cure on reboot scheduled successfully 13:55:50:281 6048 13:55:50:281 6048 Completed 13:55:50:281 6048 13:55:50:281 6048 Results: 13:55:50:281 6048 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 13:55:50:281 6048 File objects infected / cured / cured on reboot: 1 / 0 / 1 13:55:50:281 6048 13:55:50:281 6048 KLMD(ARK) unloaded successfully rebooted and ran TDSSKiller again, nothing was found: 14:01:56:453 2128 Completed 14:01:56:453 2128 14:01:56:453 2128 Results: 14:01:56:453 2128 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 14:01:56:453 2128 File objects infected / cured / cured on reboot: 0 / 0 / 0 /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ == MBAM Log === \/\/\/\/\/\/\/\/\/\/\/\/ Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4233 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 6/24/2010 12:44:30 PM mbam-log-2010-06-24 (12-44-30).txt Scan type: Full scan (C:\|D:\|E:\|G:\|) Objects scanned: 665160 Time elapsed: 2 hour(s), 31 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appintt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\radmin\admdll.dll (PUP.RemoteAdmin) -> Not selected for removal. C:\Program Files\radmin\raddrv.dll (PUP.RemoteAdmin) -> Not selected for removal. C:\System Volume Information\_restore{C61C1574-B964-4E80-A3AB-04657FD7B0AF}\RP2079\A0212591.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\admdll.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully. C:\WINDOWS\system32\raddrv.dll (PUP.RemoteAdmin) -> Quarantined and deleted successfully. Attach.txt.zip