Jump to content

Rigmaster

Honorary Members
  • Posts

    33
  • Joined

  • Last visited

Everything posted by Rigmaster

  1. Results of screen317's Security Check version 0.99.46 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.62.0.1300 Java 6 Update 34 Java 6 Update 3 Java 6 Update 5 Java 6 Update 7 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 10.0.42.34 Flash Player out of Date! Adobe Reader 8 Adobe Reader out of Date! Adobe Reader X (10.1.4) Mozilla Firefox (3.5.16) Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 19% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````
  2. Everything seems good so far. MBAM Log: Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.23.04 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 raleigh :: ACER-E355056E8B [administrator] Protection: Enabled 8/23/2012 8:59:46 AM mbam-log-2012-08-23 (08-59-46).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 292407 Time elapsed: 9 minute(s), 13 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  3. RK Report: RogueKiller V7.6.6 [08/10/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: raleigh [Admin rights] Mode: Scan -- Date: 08/22/2012 16:41:03 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 1 ¤¤¤ [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD800JD-22MSA1 +++++ --- User --- [MBR] 814ada70c4f671fd96447688765bec97 [bSP] 6c807b57d82e869e759c0174e0affc51 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  4. Sorry for the slow reply- I ended up having to run Combofix twice. I tried several times to attach the first report in a reply, but each time something would lock up the browser (I tried IE and Chrome) and not let me paste the text into the reply box, or let me click the "post" button. So, this is the report generated after the 2nd run of Combofix- let me know if you need the 1st report and I'll post it up. Thanks!
  5. ComboFix 12-08-22.01 - raleigh 08/22/2012 15:37:20.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1089 [GMT -4:00] Running from: c:\documents and settings\raleigh\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((( Files Created from 2012-07-22 to 2012-08-22 ))))))))))))))))))))))))))))))) . . 2012-08-22 19:20 . 2012-08-01 22:51 7023536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{51687F5E-CF96-42AF-804C-D461052ABF00}\mpengine.dll 2012-08-22 17:46 . 2012-08-22 18:13 -------- d-----w- C:\TDSSKiller_Quarantine 2012-08-22 17:14 . 2012-08-22 18:13 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2012-08-21 20:45 . 2012-08-21 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan 2012-08-21 20:45 . 2012-08-21 20:45 -------- d-----w- c:\program files\Security Task Manager 2012-08-16 20:35 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-08-09 18:11 . 2012-08-09 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother 2012-08-06 13:20 . 2012-08-06 13:20 -------- d--h--w- c:\windows\PIF 2012-08-02 18:21 . 2012-08-03 14:42 -------- d-----w- c:\documents and settings\raleigh\Local Settings\Application Data\LogMeIn Rescue Applet 2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll 2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-15 01:07 . 2012-04-17 21:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-15 01:07 . 2011-07-06 14:25 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 17:46 . 2011-12-28 22:28 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-13 13:19 . 2005-10-06 00:06 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX 2012-06-05 15:50 . 2007-05-15 22:43 1372672 ----a-w- c:\windows\system32\msxml6.dll 2012-06-05 15:50 . 2004-08-04 05:00 1172480 ----a-w- c:\windows\system32\msxml3.dll 2012-06-04 21:35 . 2009-06-04 00:09 222448 ----a-w- c:\windows\system32\muweb.dll 2012-06-04 04:32 . 2004-08-04 05:00 152576 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 19:19 . 2007-07-31 02:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 19:19 . 2007-07-31 02:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 19:19 . 2004-08-04 05:00 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 19:19 . 2004-08-04 05:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 19:19 . 2004-08-04 05:00 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 19:19 . 2007-07-31 02:19 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 19:19 . 2007-07-31 02:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 19:19 . 2004-08-04 05:00 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 19:19 . 2004-08-04 05:00 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 19:19 . 2004-08-04 05:00 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 19:19 . 2007-07-31 02:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 19:19 . 2004-08-04 05:00 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 19:19 . 2004-08-04 05:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 19:18 . 2009-06-04 00:09 275696 ----a-w- c:\windows\system32\mucltui.dll 2012-06-02 19:18 . 2009-06-04 00:09 17136 ----a-w- c:\windows\system32\mucltui.dll.mui 2012-05-31 13:22 . 2004-08-04 05:00 599040 ----a-w- c:\windows\system32\crypt32.dll . . ((((((((((((((((((((((((((((( SnapShot_2012-08-22_19.05.44 ))))))))))))))))))))))))))))))))))))))))) . + 2012-07-24 20:33 . 2012-08-22 19:43 227180 c:\windows\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-29 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-01-30 16116224] "SkyTel"="SkyTel.EXE" [2006-05-16 2879488] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "SiSPower"="SiSPower.dll" [2007-02-28 53248] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696] "ScrewDrivers RDP Plugin"="c:\program files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe" [2011-04-28 45384] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBLAFQANgAyAC0AVAAwAFQAMABXAC0ARwA0ADkAOQBBAC0ATABaAEIARABRAC0AOAA2AE4AVABRAA&inst=NwA2AC0ANQAwADQAMgA1ADAAMgA3ADcALQBCADEALQBVADkAMAArADEALQBYAE8AMwA2ACsAMQAtAFMAVAAxACsAMgAtAFQAQgA5ACsAMgAtAE4AMQBEACsAMQAtAFAATAArADkALQBDAEkAQQA5ADAAKwAyAA∏=92&ver=9.0.894" [?] . c:\documents and settings\raleigh\Start Menu\Programs\Startup\ DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848] OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] Alaunch [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp] 2006-09-23 20:08 61440 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LogMeIn Rescue Calling Card\\CallingCard.exe"= "c:\\WINDOWS\\LMI2D.tmp\\lmi_rescue.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Documents and Settings\\raleigh\\Application Data\\Spotify\\spotify.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9999:UDP"= 9999:UDP:LANScope UDP Port "2804:TCP"= 2804:TCP:LANScope TCP Port "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/29/2011 9:53 AM 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/28/2011 6:28 PM 655944] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/28/2011 6:28 PM 22344] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 5:43 PM 135664] S2 netlimiter;netlimiter;\??\c:\windows\system32\drivers\netlimiter.sys --> c:\windows\system32\drivers\netlimiter.sys [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/17/2012 5:34 PM 250056] S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [10/17/2007 12:24 PM 58352] S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [10/17/2007 12:24 PM 8304] S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [10/17/2007 12:24 PM 93904] S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [10/17/2007 12:24 PM 73696] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 5:43 PM 135664] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - UBHELPER *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-08-22 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 01:07] . 2012-08-21 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-29 08:53] . 2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 21:42] . 2012-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 21:42] . 2012-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-783975438-433103722-3473481398-1008Core.job - c:\documents and settings\raleigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-06 13:22] . 2012-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-783975438-433103722-3473481398-1008UA.job - c:\documents and settings\raleigh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-06 13:22] . 2012-08-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03] . 2012-08-22 c:\windows\Tasks\User_Feed_Synchronization-{9373A04D-379D-4C6A-B6C8-832B7FC8FB82}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1212586949&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855 uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com Trusted Zone: car-part.com\appcgi Trusted Zone: minutemanintl.com\www TCP: DhcpNameServer = 192.168.0.1 DPF: {03A89EFD-E023-B000-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInst11.dll DPF: {03A89EFD-E023-B100-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInst11.dll FF - ProfilePath - c:\documents and settings\raleigh\Application Data\Mozilla\Firefox\Profiles\hvldi4b0.default\ FF - prefs.js: browser.search.selectedEngine - AVG Secure Search FF - prefs.js: browser.startup.homepage - www.hotmail.com FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c63e952&v=6.010.006.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-22 15:45 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD800JD-22MSA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e . device: opened successfully user: MBR read successfully kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0xB9F12864 user & kernel MBR OK . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-783975438-433103722-3473481398-1008\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(712) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . - - - - - - - > 'explorer.exe'(2836) c:\windows\system32\WININET.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2012-08-22 15:47:43 ComboFix-quarantined-files.txt 2012-08-22 19:47 ComboFix2.txt 2012-08-22 19:12 ComboFix3.txt 2011-12-28 21:40 . Pre-Run: 50,197,135,360 bytes free Post-Run: 50,178,015,232 bytes free . - - End Of File - - 0AC2121AF2457647584D12B70DC0821A
  6. <p>[00:00:0000] Has crashed before : Yes [00:00:0015] ***** Global Init ***** [00:00:0015] Create mutex : RogueKiller [00:00:0015] Mutex Created : 0x9c [00:00:0031] Fill lists [00:00:0031] OS Language : English [00:00:0047] Take Privileges [00:00:0047] Modify Token [00:00:0062] Set priority to HIGH [00:00:0062] Getting Operating System [00:00:0062] Os Getted : Windows XP (5.1.2600 Service Pack 3) 32 bits version [00:00:0062] ***** Global Init OK ***** [00:00:0078] ***** GUI Init ***** [00:00:0078] Get build number [00:00:0078] build number : RogueKiller (by Tigzy) -- v7.6.6 [00:00:0234] ***** GUI Init OK ***** [00:00:0250] ***** PreScan ***** [00:00:0250] Clear ListViews [00:00:0265] Clear Objects [00:00:0281] [Check Window] Eula - Please read [00:00:0297] [Check Window] Debug log sending [00:00:0297] [Check Window] Start Menu [00:00:0312] [Check Window] SysFader [00:00:0312] [Check Window] S/PDIF IN/OUT Settings [00:00:0328] [Check Window] Set Device Type [00:00:0328] [Check Window] Mixer ToolBox [00:00:0343] [Check Window] Connector Settings [00:00:0343] [Check Window] RogueKiller (by Tigzy) -- v7.6.6 [00:00:0343] [Check Window] JavaUpdate SysTray Icon [00:00:0359] [Check Window] MCI command handling window [00:00:0375] [Check Window] DDE Server Window [00:00:0375] [Check Window] UNCFATDMS [00:00:0390] [Check Window] QuickCam® [00:00:0406] [Check Window] COCIHiddenwindow [00:00:0422] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0422] [Check Window] nocaption [00:00:0437] [Check Window] callbackCFireEventSerializerIFireEvent [00:00:0437] [Check Window] callbackCLDMEventSerializerIInProcDeviceManagerEvents [00:00:0453] [Check Window] DDE Server Window [00:00:0453] [Check Window] HiddenFaxWindow [00:00:0468] [Check Window] callbackCCOCIMngrEventsSerializerICOCIMngrEvents [00:00:0468] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0484] [Check Window] nocaption [00:00:0484] [Check Window] DTS Connect [00:00:0500] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0500] [Check Window] nocaption [00:00:0515] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0515] [Check Window] nocaption [00:00:0531] [Check Window] Dolby Home Threater [00:00:0531] [Check Window] Advance Setting [00:00:0547] [Check Window] TOOLBOX [00:00:0547] [Check Window] Load EQ Preset [00:00:0562] [Check Window] DeleteEQ [00:00:0562] [Check Window] Save EQ [00:00:0578] [Check Window] Realtek HD Audio Manager [00:00:0578] [Check Window] BackMain_Form [00:00:0593] [Check Window] Realtek HD Audio Manager [00:00:0593] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0609] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0609] [Check Window] nocaption [00:00:0625] [Check Window] nocaption [00:00:0625] [Check Window] callbackCLCMEventSerializerILogiCommunicationManagerEvents [00:00:0625] [Check Window] MCI command handling window [00:00:0640] [Check Window] {A7E495BF-9589-4a6e-8479-DDA2D8D3C05F} [00:00:0640] [Check Window] Microsoft Security Essentials [00:00:0656] [Check Window] DDE Server Window [00:00:0656] [Check Window] LogMeIn - Version Update [00:00:0672] [Check Window] Connections Tray [00:00:0672] [Check Window] Power Meter [00:00:0687] [Check Window] MS_WebcheckMonitor [00:00:0687] [Check Window] DDE Server Window [00:00:0703] [Check Window] LogMeIn [00:00:0703] [Check Window] LogMeIn [00:00:0718] [Check Window] LogMeIn [00:00:0734] [Check Window] LogMeIn Status [00:00:0750] [Check Window] Malwarebytes Anti-Malware [00:00:0750] [Check Window] LogMeInGui [00:00:0765] [Check Window] medusa_callbackpostmessage_C9725127-BFE4-4159-87DB-9999D30E1845 [00:00:0765] [Check Window] nocaption [00:00:0781] [Check Window] callbackCFireEventSerializerIFireEvent [00:00:0781] [Check Window] callbackCLDMEventSerializerIInProcDeviceManagerEvents [00:00:0781] [Check Window] GDI+ Window [00:00:0797] [Check Window] GDI+ Window [00:00:0797] [Check Window] Logitech Updater [00:00:0812] [Check Window] Logitech Updater [00:00:0812] [Check Window] SystemTray Demo [00:00:0828] [Check Window] GDI+ Window [00:00:0828] [Check Window] GDI+ Window [00:00:0843] [Check Window] GDI+ Window [00:00:0843] [Check Window] svchost.exe malware or trojan - Malwarebytes Forum - Windows Internet Explorer [00:00:0859] [Check Window] Program Manager [00:00:0859] [Check Window] M [00:00:0875] [Check Window] Default IME [00:00:0875] [Check Window] M [00:00:0890] [Check Window] Default IME [00:00:0890] [Check Window] Default IME [00:00:0906] [Check Window] Default IME [00:00:0906] [Check Window] Default IME [00:00:0922] [Check Window] Default IME [00:00:0922] [Check Window] M [00:00:0937] [Check Window] Default IME [00:00:0937] [Check Window] Default IME [00:00:0953] [Check Window] Default IME [00:00:0953] [Check Window] Default IME [00:00:0968] [Check Window] Default IME [00:00:0968] [Check Window] Default IME [00:00:0984] [Check Window] Default IME [00:00:0984] [Check Window] Default IME [00:00:0984] [Check Window] Default IME [00:01:0000] [Check Window] M [00:01:0000] [Check Window] Default IME [00:01:0015] [Check Window] Default IME [00:01:0015] [Check Window] Default IME [00:01:0031] [Check Window] Default IME [00:01:0031] [Check Window] Default IME [00:01:0047] [Check Window] Default IME [00:01:0047] [Check Window] Default IME [00:01:0062] [Check Window] M [00:01:0062] [Check Window] Default IME [00:01:0078] [Check Window] Default IME [00:01:0078] [Check Window] Default IME [00:01:0078] [Check Window] Default IME [00:01:0093] [Check Window] M [00:01:0093] [Check Window] Default IME [00:01:0109] [Check Window] M [00:01:0109] [Check Window] Default IME [00:01:0125] [Check Window] M [00:01:0125] [Check Window] Default IME [00:01:0172] [Check Processes] Service PID : 752 [00:01:0172] [Check Processes] [0] [system Process] [00:01:0187] [Check Processes] [4] System [00:01:0187] [Check Processes] [440] smss.exe [00:01:0187] [Check Processes] [684] csrss.exe [00:01:0203] [Check Processes] [708] winlogon.exe [00:01:0218] [Check Processes] [752] services.exe [00:01:0218] [Check Processes] [764] lsass.exe [00:01:0234] [Check Processes] [932] svchost.exe [00:01:0234] [Check Processes] [1000] svchost.exe [00:01:0250] [Check Processes] [1092] MsMpEng.exe [00:01:0250] Nb sections : 4 [00:01:0265] Parsing section : [6] .text [00:01:0265] Parsing section at 0x400 [00:01:0265] Parsing section : [6] .data [00:01:0281] Parsing section at 0x800 [00:01:0281] Parsing section : [6] .rsrc [00:01:0297] Parsing section at 0xa00 [00:01:0297] Parsing section : [7] .reloc [00:01:0297] Parsing section at 0x1000 [00:01:0312] [Check Processes] [1132] svchost.exe [00:01:0312] [Check Processes] [1196] svchost.exe [00:01:0328] [Check Processes] [1368] svchost.exe [00:01:0328] [Check Processes] [1772] spoolsv.exe [00:01:0343] [Check Processes] [1864] explorer.exe [00:01:0359] [Check DLLs] Explorer.EXE [00:01:0359] [Check DLLs] ntdll.dll [00:01:0375] [Check DLLs] kernel32.dll [00:01:0375] [Check DLLs] ADVAPI32.dll [00:01:0375] [Check DLLs] RPCRT4.dll [00:01:0390] [Check DLLs] Secur32.dll [00:01:0390] [Check DLLs] BROWSEUI.dll [00:01:0406] [Check DLLs] GDI32.dll [00:01:0406] [Check DLLs] USER32.dll [00:01:0422] [Check DLLs] msvcrt.dll [00:01:0422] [Check DLLs] ole32.dll [00:01:0422] [Check DLLs] SHLWAPI.dll [00:01:0437] [Check DLLs] OLEAUT32.dll [00:01:0437] [Check DLLs] SHDOCVW.dll [00:01:0453] [Check DLLs] CRYPT32.dll [00:01:0453] [Check DLLs] MSASN1.dll [00:01:0453] [Check DLLs] CRYPTUI.dll [00:01:0468] [Check DLLs] NETAPI32.dll [00:01:0468] [Check DLLs] VERSION.dll [00:01:0468] [Check DLLs] WININET.dll [00:01:0484] [Check DLLs] Normaliz.dll [00:01:0484] [Check DLLs] urlmon.dll [00:01:0500] [Check DLLs] iertutil.dll [00:01:0500] [Check DLLs] WINTRUST.dll [00:01:0500] [Check DLLs] IMAGEHLP.dll [00:01:0515] [Check DLLs] WLDAP32.dll [00:01:0515] [Check DLLs] SHELL32.dll [00:01:0531] [Check DLLs] UxTheme.dll [00:01:0531] [Check DLLs] ShimEng.dll [00:01:0531] [Check DLLs] AcGenral.DLL [00:01:0547] [Check DLLs] WINMM.dll [00:01:0547] [Check DLLs] MSACM32.dll [00:01:0547] [Check DLLs] USERENV.dll [00:01:0562] [Check DLLs] IMM32.DLL [00:01:0562] [Check DLLs] LPK.DLL [00:01:0578] [Check DLLs] USP10.dll [00:01:0578] [Check DLLs] comctl32.dll [00:01:0578] [Check DLLs] comctl32.dll [00:01:0593] [Check DLLs] msctfime.ime [00:01:0593] [Check DLLs] appHelp.dll [00:01:0593] [Check DLLs] CLBCATQ.DLL [00:01:0609] [Check DLLs] COMRes.dll [00:01:0609] [Check DLLs] cscui.dll [00:01:0625] [Check DLLs] CSCDLL.dll [00:01:0625] [Check DLLs] themeui.dll [00:01:0625] [Check DLLs] MSIMG32.dll [00:01:0640] [Check DLLs] xpsp2res.dll [00:01:0640] [Check DLLs] actxprxy.dll [00:01:0640] [Check DLLs] MSNLNamespaceMgr.dll [00:01:0656] [Check DLLs] ieframe.dll [00:01:0656] [Check DLLs] LVPrcInj01.dll [00:01:0672] [Check DLLs] deskbar.dll [00:01:0672] [Check DLLs] dbres.dll.mui [00:01:0672] [Check DLLs] dbres.dll [00:01:0687] [Check DLLs] wordwheel.dll [00:01:0687] [Check DLLs] WTSAPI32.dll [00:01:0687] [Check DLLs] WINSTA.dll [00:01:0703] [Check DLLs] msnlExtRes.dll.mui [00:01:0703] [Check DLLs] msnlExtRes.dll [00:01:0718] [Check DLLs] msxml3.dll [00:01:0718] [Check DLLs] ws2_32.dll [00:01:0718] [Check DLLs] WS2HELP.dll [00:01:0734] [Check DLLs] LINKINFO.dll [00:01:0734] [Check DLLs] ntshrui.dll [00:01:0750] [Check DLLs] ATL.DLL [00:01:0750] [Check DLLs] SAMLIB.dll [00:01:0750] [Check DLLs] SETUPAPI.dll [00:01:0765] [Check DLLs] msi.dll [00:01:0765] [Check DLLs] NETSHELL.dll [00:01:0781] [Check DLLs] credui.dll [00:01:0781] [Check DLLs] dot3api.dll [00:01:0781] [Check DLLs] rtutils.dll [00:01:0797] [Check DLLs] dot3dlg.dll [00:01:0797] [Check DLLs] OneX.DLL [00:01:0812] [Check DLLs] eappcfg.dll [00:01:0812] [Check DLLs] MSVCP60.dll [00:01:0828] [Check DLLs] eappprxy.dll [00:01:0828] [Check DLLs] iphlpapi.dll [00:01:0828] [Check DLLs] webcheck.dll [00:01:0843] [Check DLLs] MLANG.dll [00:01:0843] [Check DLLs] stobject.dll [00:01:0843] [Check DLLs] BatMeter.dll [00:01:0859] [Check DLLs] POWRPROF.dll [00:01:0859] [Check DLLs] WPDShServiceObj.dll [00:01:0875] [Check DLLs] WINHTTP.dll [00:01:0875] [Check DLLs] mydocs.dll [00:01:0875] [Check DLLs] PortableDeviceTypes.dll [00:01:0890] [Check DLLs] PortableDeviceApi.dll [00:01:0890] [Check DLLs] rsaenh.dll [00:01:0906] [Check DLLs] wdmaud.drv [00:01:0906] [Check DLLs] msacm32.drv [00:01:0906] [Check DLLs] midimap.dll [00:01:0922] [Check DLLs] fxsst.dll [00:01:0922] [Check DLLs] WINSPOOL.DRV [00:01:0937] [Check DLLs] FXSAPI.dll [00:01:0937] [Check DLLs] NTMARTA.DLL [00:01:0937] [Check DLLs] MPR.dll [00:01:0953] [Check DLLs] drprov.dll [00:01:0953] [Check DLLs] ntlanman.dll [00:01:0968] [Check DLLs] NETUI0.dll [00:01:0968] [Check DLLs] NETUI1.dll [00:01:0968] [Check DLLs] NETRAP.dll [00:01:0984] [Check DLLs] davclnt.dll [00:01:0984] [Check DLLs] LMIRfsClientNP.dll [00:02:0000] [Check DLLs] SXS.DLL [00:02:0000] [Check DLLs] browselc.dll [00:02:0000] [Check DLLs] wdsShell.dll [00:02:0015] [Check DLLs] tquery.dll [00:02:0015] [Check DLLs] PROPSYS.dll [00:02:0031] [Check DLLs] msshsq.dll [00:02:0031] [Check DLLs] LangWrbk.dll [00:02:0031] [Check DLLs] mshtml.dll [00:02:0047] [Check DLLs] msls31.dll [00:02:0047] [Check DLLs] PSAPI.DLL [00:02:0062] [Check DLLs] mstime.dll [00:02:0062] [Check DLLs] DDRAW.dll [00:02:0062] [Check DLLs] DCIMAN32.dll [00:02:0078] [Check DLLs] jscript.dll [00:02:0078] [Check DLLs] msimtf.dll [00:02:0078] [Check DLLs] MSCTF.dll [00:02:0093] [Check DLLs] Dxtrans.dll [00:02:0093] [Check DLLs] ddrawex.dll [00:02:0109] [Check DLLs] Dxtmsft.dll [00:02:0109] [Check DLLs] gdiplus.dll [00:02:0125] [Check DLLs] D3DIM700.DLL [00:02:0125] [Check DLLs] DUSER.dll [00:02:0125] [Check DLLs] mssprxy.dll [00:02:0140] [Check DLLs] MSGINA.dll [00:02:0140] [Check DLLs] ODBC32.dll [00:02:0156] [Check DLLs] comdlg32.dll [00:02:0156] [Check DLLs] odbcint.dll [00:02:0156] [Check DLLs] sti.dll [00:02:0172] [Check DLLs] CFGMGR32.dll [00:02:0172] [Check DLLs] MSVCR90.dll [00:02:0187] [Check DLLs] PDFShell.dll [00:02:0187] [Check DLLs] MSVCP90.dll [00:02:0203] [Check Processes] [296] svchost.exe [00:02:0203] [Check Processes] [452] E_S40RP7.EXE [00:02:0218] Nb sections : 3 [00:02:0218] Parsing section : [6] .text [00:02:0218] Parsing section at 0x400 [00:02:0234] Parsing section : [6] .data [00:02:0234] Parsing section at 0x1a400 [00:02:0250] Parsing section : [6] .rsrc [00:02:0250] Parsing section at 0x1b800 [00:02:0265] [Check Processes] [560] inetinfo.exe [00:02:0265] Nb sections : 3 [00:02:0281] Parsing section : [6] .text [00:02:0281] Parsing section at 0x400 [00:02:0297] Parsing section : [6] .data [00:02:0297] Parsing section at 0x3200 [00:02:0297] Parsing section : [6] .rsrc [00:02:0312] Parsing section at 0x3400 [00:02:0312] [Check Processes] [596] jqs.exe [00:02:0328] Nb sections : 4 [00:02:0328] Parsing section : [6] .text [00:02:0328] Parsing section at 0x1000 [00:02:0343] Parsing section : [7] .rdata [00:02:0343] Parsing section at 0x17000 [00:02:0359] Parsing section : [6] .data [00:02:0359] Parsing section at 0x22000 [00:02:0359] Parsing section : [6] .rsrc [00:02:0375] Parsing section at 0x23000 [00:02:0375] [Check Processes] [628] LMIGuardianSvc.exe [00:02:0390] Nb sections : 5 [00:02:0390] Parsing section : [6] .text [00:02:0406] Parsing section at 0x1000 [00:02:0406] Parsing section : [7] .rdata [00:02:0406] Parsing section at 0x9000 [00:02:0422] Parsing section : [6] .data [00:02:0422] Parsing section at 0xc000 [00:02:0437] Parsing section : [6] .rsrc [00:02:0437] Parsing section at 0xd000 [00:02:0453] Parsing section : [7] .reloc [00:02:0453] Parsing section at 0x58000 [00:02:0453] [Check Processes] [960] LVComSer.exe [00:02:0468] Nb sections : 4 [00:02:0468] Parsing section : [6] .text [00:02:0484] Parsing section at 0x1000 [00:02:0484] Parsing section : [7] .rdata [00:02:0500] Parsing section at 0x1e000 [00:02:0500] Parsing section : [6] .data [00:02:0500] Parsing section at 0x25000 [00:02:0515] Parsing section : [6] .rsrc [00:02:0515] Parsing section at 0x27000 [00:02:0531] [Check Processes] [1184] LVPrcSrv.exe [00:02:0531] Nb sections : 4 [00:02:0531] Parsing section : [6] .text [00:02:0547] Parsing section at 0x1000 [00:02:0547] Parsing section : [7] .rdata [00:02:0562] Parsing section at 0x16000 [00:02:0562] Parsing section : [6] .data [00:02:0562] Parsing section at 0x1c000 [00:02:0578] Parsing section : [6] .rsrc [00:02:0578] Parsing section at 0x1e000 [00:02:0593] [Check Processes] [1240] mbamservice.exe [00:02:0593] Nb sections : 5 [00:02:0609] Parsing section : [6] .text [00:02:0609] Parsing section at 0x400 [00:02:0625] Parsing section : [7] .rdata [00:02:0625] Parsing section at 0x77c00 [00:02:0640] Parsing section : [6] .data [00:02:0640] Parsing section at 0x92200 [00:02:0656] Parsing section : [6] .rsrc [00:02:0656] Parsing section at 0x95a00 [00:02:0656] Parsing section : [7] .reloc [00:02:0672] Parsing section at 0x96000 [00:02:0672] [Check Processes] [1584] snmp.exe [00:02:0687] Nb sections : 3 [00:02:0687] Parsing section : [6] .text [00:02:0687] Parsing section at 0x400 [00:02:0703] Parsing section : [6] .data [00:02:0703] Parsing section at 0x7200 [00:02:0718] Parsing section : [6] .rsrc [00:02:0718] Parsing section at 0x7400 [00:02:0718] [Check Processes] [1552] svchost.exe [00:02:0734] [Check Processes] [1520] searchindexer.exe [00:02:0750] [Check Processes] [2096] LVComSer.exe [00:02:0750] Nb sections : 4 [00:02:0765] Parsing section : [6] .text [00:02:0765] Parsing section at 0x1000 [00:02:0781] Parsing section : [7] .rdata [00:02:0781] Parsing section at 0x1e000 [00:02:0781] Parsing section : [6] .data [00:02:0797] Parsing section at 0x25000 [00:02:0797] Parsing section : [6] .rsrc [00:02:0812] Parsing section at 0x27000 [00:02:0812] [Check Processes] [2752] alg.exe [00:02:0828] [Check Processes] [1084] RTHDCPL.exe [00:02:0828] Nb sections : 8 [00:02:0828] Parsing section : [6] .text [00:02:0843] Parsing section at 0x600 [00:02:0890] Parsing section : [6] .data [00:02:0906] Parsing section at 0x21cc00 [00:02:0906] Parsing section : [5] .tls [00:02:0906] Parsing section at 0x253200 [00:02:0922] Parsing section : [7] .rdata [00:02:0922] Parsing section at 0x253400 [00:02:0922] Parsing section : [7] .idata [00:02:0937] Parsing section at 0x253600 [00:02:0937] Parsing section : [7] .edata [00:02:0953] Parsing section at 0x256e00 [00:02:0968] Parsing section : [6] .rsrc [00:02:0968] Parsing section at 0x2ae400 [00:03:0250] Parsing section : [7] .reloc [00:03:0250] Parsing section at 0xf39400 [00:03:0265] [Check Processes] [1464] PDVDServ.exe [00:03:0281] Nb sections : 4 [00:03:0297] Parsing section : [6] .text [00:03:0297] Parsing section at 0x1000 [00:03:0312] Parsing section : [7] .rdata [00:03:0312] Parsing section at 0x7000 [00:03:0312] Parsing section : [6] .data [00:03:0328] Parsing section at 0x8000 [00:03:0328] Parsing section : [6] .rsrc [00:03:0328] Parsing section at 0xb000 [00:03:0343] [Check Processes] [3000] wuauclt.exe [00:03:0359] [Check Processes] [3328] LogMeInSystray.exe [00:03:0359] Nb sections : 5 [00:03:0375] Parsing section : [6] .text [00:03:0375] Parsing section at 0x1000 [00:03:0375] Parsing section : [7] .rdata [00:03:0390] Parsing section at 0x8000 [00:03:0390] Parsing section : [6] .data [00:03:0406] Parsing section at 0xa000 [00:03:0406] Parsing section : [6] .rsrc [00:03:0406] Parsing section at 0xb000 [00:03:0422] Parsing section : [7] .reloc [00:03:0422] Parsing section at 0xd000 [00:03:0437] [Check Processes] [3332] Communications_Helper.exe [00:03:0437] Nb sections : 4 [00:03:0453] Parsing section : [6] .text [00:03:0453] Parsing section at 0x400 [00:03:0468] Parsing section : [7] .rdata [00:03:0468] Parsing section at 0x33600 [00:03:0484] Parsing section : [6] .data [00:03:0484] Parsing section at 0x41c00 [00:03:0484] Parsing section : [6] .rsrc [00:03:0500] Parsing section at 0x45e00 [00:03:0515] [Check Processes] [3352] Quickcam.exe [00:03:0515] Nb sections : 4 [00:03:0531] Parsing section : [6] .text [00:03:0531] Parsing section at 0x400 [00:03:0547] Parsing section : [7] .rdata [00:03:0562] Parsing section at 0xccc00 [00:03:0562] Parsing section : [6] .data [00:03:0578] Parsing section at 0x108600 [00:03:0578] Parsing section : [6] .rsrc [00:03:0593] Parsing section at 0x10f600 [00:03:0625] [Check Processes] [2788] mbamgui.exe [00:03:0625] Nb sections : 5 [00:03:0640] Parsing section : [6] .text [00:03:0640] Parsing section at 0x400 [00:03:0656] Parsing section : [7] .rdata [00:03:0656] Parsing section at 0x1a400 [00:03:0656] Parsing section : [6] .data [00:03:0672] Parsing section at 0x1fc00 [00:03:0672] Parsing section : [6] .rsrc [00:03:0672] Parsing section at 0x21000 [00:03:0687] Parsing section : [7] .reloc [00:03:0703] Parsing section at 0x6ce00 [00:03:0703] [Check Processes] [3272] jusched.exe [00:03:0718] Nb sections : 4 [00:03:0718] Parsing section : [6] .text [00:03:0718] Parsing section at 0x400 [00:03:0734] Parsing section : [7] .rdata [00:03:0734] Parsing section at 0x2c200 [00:03:0750] Parsing section : [6] .data [00:03:0750] Parsing section at 0x38200 [00:03:0765] Parsing section : [6] .rsrc [00:03:0765] Parsing section at 0x3a400 [00:03:0781] [Check Processes] [844] msseces.exe [00:03:0781] Nb sections : 4 [00:03:0781] Parsing section : [6] .text [00:03:0797] Parsing section at 0x400 [00:03:0812] Parsing section : [6] .data [00:03:0828] Parsing section at 0xc0200 [00:03:0828] Parsing section : [6] .rsrc [00:03:0828] Parsing section at 0xc6a00 [00:03:0843] Parsing section : [7] .reloc [00:03:0843] Parsing section at 0xd0e00 [00:03:0859] [Check Processes] [3212] GoogleToolbarNotifier.exe [00:03:0859] Nb sections : 4 [00:03:0875] Parsing section : [6] .text [00:03:0875] Parsing section at 0x400 [00:03:0875] Parsing section : [7] .rdata [00:03:0890] Parsing section at 0x5e00 [00:03:0890] Parsing section : [6] .data [00:03:0906] Parsing section at 0x7a00 [00:03:0906] Parsing section : [6] .rsrc [00:03:0906] Parsing section at 0x8400 [00:03:0922] [Check Processes] [3716] msmsgs.exe [00:03:0922] Nb sections : 3 [00:03:0937] Parsing section : [6] .text [00:03:0937] Parsing section at 0x600 [00:03:0968] Parsing section : [6] .data [00:03:0968] Parsing section at 0x110400 [00:03:0984] Parsing section : [6] .rsrc [00:03:0984] Parsing section at 0x111c00 [00:04:0000] [Check Processes] [3884] WindowsSearch.exe [00:04:0015] Nb sections : 4 [00:04:0015] Parsing section : [6] .text [00:04:0031] Parsing section at 0x400 [00:04:0031] Parsing section : [6] .data [00:04:0047] Parsing section at 0x1a600 [00:04:0047] Parsing section : [6] .rsrc [00:04:0047] Parsing section at 0x1ac00 [00:04:0047] Parsing section : [7] .reloc [00:04:0062] Parsing section at 0x1c600 [00:04:0062] [Check Processes] [2280] COCIManager.exe [00:04:0078] Nb sections : 4 [00:04:0078] Parsing section : [6] .text [00:04:0093] Parsing section at 0x400 [00:04:0093] Parsing section : [7] .rdata [00:04:0109] Parsing section at 0x4e800 [00:04:0109] Parsing section : [6] .data [00:04:0109] Parsing section at 0x5ee00 [00:04:0125] Parsing section : [6] .rsrc [00:04:0125] Parsing section at 0x62c00 [00:04:0140] [Check Processes] [1720] LULnchr.exe [00:04:0140] Nb sections : 4 [00:04:0156] Parsing section : [6] .text [00:04:0156] Parsing section at 0x400 [00:04:0172] Parsing section : [7] .rdata [00:04:0172] Parsing section at 0x20400 [00:04:0172] Parsing section : [6] .data [00:04:0187] Parsing section at 0x25c00 [00:04:0187] Parsing section : [6] .rsrc [00:04:0187] Parsing section at 0x27400 [00:04:0203] [Check Processes] [2236] LogitechUpdate.exe [00:04:0203] Nb sections : 4 [00:04:0218] Parsing section : [6] .text [00:04:0218] Parsing section at 0x1000 [00:04:0234] Parsing section : [7] .rdata [00:04:0234] Parsing section at 0x4d000 [00:04:0250] Parsing section : [6] .data [00:04:0250] Parsing section at 0x68000 [00:04:0265] Parsing section : [6] .rsrc [00:04:0265] Parsing section at 0x6c000 [00:04:0281] [Check Processes] [532] iexplore.exe [00:04:0297] Nb sections : 4 [00:04:0297] Parsing section : [6] .text [00:04:0312] Parsing section at 0x400 [00:04:0312] Parsing section : [6] .data [00:04:0312] Parsing section at 0xa400 [00:04:0328] Parsing section : [6] .rsrc [00:04:0328] Parsing section at 0xac00 [00:04:0343] Parsing section : [7] .reloc [00:04:0359] Parsing section at 0x99c00 [00:04:0359] [Check Processes] [1460] iexplore.exe [00:04:0375] Nb sections : 4 [00:04:0375] Parsing section : [6] .text [00:04:0375] Parsing section at 0x400 [00:04:0390] Parsing section : [6] .data [00:04:0390] Parsing section at 0xa400 [00:04:0406] Parsing section : [6] .rsrc [00:04:0406] Parsing section at 0xac00 [00:04:0422] Parsing section : [7] .reloc [
  7. Ran TDSSKiller, here is the log: 13:42:46.0218 5324 TDSS rootkit removing tool 2.8.7.0 Aug 20 2012 17:30:03 13:42:46.0484 5324 ============================================================ 13:42:46.0484 5324 Current date / time: 2012/08/22 13:42:46.0484 13:42:46.0484 5324 SystemInfo: 13:42:46.0484 5324 13:42:46.0484 5324 OS Version: 5.1.2600 ServicePack: 3.0 13:42:46.0484 5324 Product type: Workstation 13:42:46.0484 5324 ComputerName: ACER-E355056E8B 13:42:46.0484 5324 UserName: raleigh 13:42:46.0484 5324 Windows directory: C:\WINDOWS 13:42:46.0484 5324 System windows directory: C:\WINDOWS 13:42:46.0484 5324 Processor architecture: Intel x86 13:42:46.0484 5324 Number of processors: 1 13:42:46.0484 5324 Page size: 0x1000 13:42:46.0484 5324 Boot type: Normal boot 13:42:46.0484 5324 ============================================================ 13:42:48.0515 5324 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054 13:42:48.0546 5324 ============================================================ 13:42:48.0546 5324 \Device\Harddisk0\DR0: 13:42:48.0546 5324 MBR partitions: 13:42:48.0546 5324 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482 13:42:48.0546 5324 ============================================================ 13:42:48.0578 5324 C: <-> \Device\Harddisk0\DR0\Partition1 13:42:48.0578 5324 ============================================================ 13:42:48.0578 5324 Initialize success 13:42:48.0578 5324 ============================================================ 13:44:08.0546 5068 ============================================================ 13:44:08.0546 5068 Scan started 13:44:08.0546 5068 Mode: Manual; SigCheck; TDLFS; 13:44:08.0546 5068 ============================================================ 13:44:10.0328 5068 ================ Scan services ============================= 13:44:11.0031 5068 Abiosdsk - ok 13:44:11.0062 5068 abp480n5 - ok 13:44:11.0109 5068 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys 13:44:12.0906 5068 ACPI - ok 13:44:12.0937 5068 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys 13:44:13.0140 5068 ACPIEC - ok 13:44:13.0234 5068 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe 13:44:13.0265 5068 AdobeFlashPlayerUpdateSvc - ok 13:44:13.0296 5068 adpu160m - ok 13:44:13.0328 5068 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys 13:44:13.0562 5068 aec - ok 13:44:13.0609 5068 [ A7B8A3A79D35215D798A300DF49ED23F ] Afc C:\WINDOWS\system32\drivers\Afc.sys 13:44:13.0687 5068 Afc ( UnsignedFile.Multi.Generic ) - warning 13:44:13.0687 5068 Afc - detected UnsignedFile.Multi.Generic (1) 13:44:13.0734 5068 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys 13:44:13.0859 5068 AFD - ok 13:44:13.0890 5068 Aha154x - ok 13:44:13.0906 5068 aic78u2 - ok 13:44:13.0921 5068 aic78xx - ok 13:44:13.0968 5068 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll 13:44:14.0171 5068 Alerter - ok 13:44:14.0203 5068 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe 13:44:14.0484 5068 ALG - ok 13:44:14.0500 5068 AliIde - ok 13:44:14.0515 5068 amsint - ok 13:44:14.0593 5068 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll 13:44:14.0765 5068 AppMgmt - ok 13:44:14.0765 5068 asc - ok 13:44:14.0796 5068 asc3350p - ok 13:44:14.0812 5068 asc3550 - ok 13:44:14.0953 5068 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe 13:44:15.0000 5068 aspnet_state - ok 13:44:15.0031 5068 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys 13:44:15.0250 5068 AsyncMac - ok 13:44:15.0281 5068 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys 13:44:15.0500 5068 atapi - ok 13:44:15.0515 5068 Atdisk - ok 13:44:15.0546 5068 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys 13:44:15.0734 5068 Atmarpc - ok 13:44:15.0781 5068 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll 13:44:16.0000 5068 AudioSrv - ok 13:44:16.0046 5068 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys 13:44:16.0281 5068 audstub - ok 13:44:16.0328 5068 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys 13:44:16.0578 5068 Beep - ok 13:44:16.0625 5068 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll 13:44:16.0906 5068 BITS - ok 13:44:16.0968 5068 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll 13:44:17.0187 5068 Browser - ok 13:44:17.0218 5068 [ 2120B6607CBBE426CE821643838EA1D3 ] BVRPMPR5 C:\WINDOWS\system32\drivers\BVRPMPR5.SYS 13:44:17.0296 5068 BVRPMPR5 ( UnsignedFile.Multi.Generic ) - warning 13:44:17.0296 5068 BVRPMPR5 - detected UnsignedFile.Multi.Generic (1) 13:44:17.0453 5068 catchme - ok 13:44:17.0500 5068 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys 13:44:17.0734 5068 cbidf2k - ok 13:44:17.0765 5068 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 13:44:18.0000 5068 CCDECODE - ok 13:44:18.0015 5068 cd20xrnt - ok 13:44:18.0062 5068 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys 13:44:18.0328 5068 Cdaudio - ok 13:44:18.0343 5068 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys 13:44:18.0546 5068 Cdfs - ok 13:44:18.0609 5068 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys 13:44:18.0781 5068 Cdrom - ok 13:44:18.0796 5068 Changer - ok 13:44:18.0843 5068 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe 13:44:19.0062 5068 CiSvc - ok 13:44:19.0093 5068 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe 13:44:19.0296 5068 ClipSrv - ok 13:44:19.0343 5068 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 13:44:19.0406 5068 clr_optimization_v2.0.50727_32 - ok 13:44:19.0500 5068 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 13:44:19.0546 5068 clr_optimization_v4.0.30319_32 - ok 13:44:19.0562 5068 CmdIde - ok 13:44:19.0625 5068 [ 558F320272D683B70AC7C3E2FB374F67 ] cmo_bus C:\WINDOWS\system32\DRIVERS\cmo_bus.sys 13:44:19.0656 5068 cmo_bus - ok 13:44:19.0703 5068 [ 44799C299272246D1DB599667314BD7B ] cmo_mdfl C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys 13:44:19.0781 5068 cmo_mdfl - ok 13:44:19.0812 5068 [ 93560533D251E93D4B93D27F67DEB2BF ] cmo_mdm C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys 13:44:19.0843 5068 cmo_mdm - ok 13:44:19.0890 5068 [ FBB270F9DC4FFA40DB8EFAD8A2D744FC ] cmo_serd C:\WINDOWS\system32\DRIVERS\cmo_serd.sys 13:44:19.0984 5068 cmo_serd - ok 13:44:20.0000 5068 COMSysApp - ok 13:44:20.0046 5068 Cpqarray - ok 13:44:20.0093 5068 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll 13:44:20.0328 5068 CryptSvc - ok 13:44:20.0343 5068 dac2w2k - ok 13:44:20.0359 5068 dac960nt - ok 13:44:20.0406 5068 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll 13:44:20.0531 5068 DcomLaunch - ok 13:44:20.0609 5068 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll 13:44:20.0875 5068 Dhcp - ok 13:44:20.0937 5068 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys 13:44:21.0109 5068 Disk - ok 13:44:21.0125 5068 dmadmin - ok 13:44:21.0203 5068 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys 13:44:21.0406 5068 dmboot - ok 13:44:21.0453 5068 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys 13:44:21.0687 5068 dmio - ok 13:44:21.0718 5068 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys 13:44:21.0937 5068 dmload - ok 13:44:21.0968 5068 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll 13:44:22.0203 5068 dmserver - ok 13:44:22.0250 5068 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys 13:44:22.0437 5068 DMusic - ok 13:44:22.0484 5068 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll 13:44:22.0781 5068 Dnscache - ok 13:44:22.0828 5068 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll 13:44:23.0109 5068 Dot3svc - ok 13:44:23.0140 5068 dpti2o - ok 13:44:23.0187 5068 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys 13:44:23.0421 5068 drmkaud - ok 13:44:23.0468 5068 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll 13:44:23.0703 5068 EapHost - ok 13:44:23.0796 5068 [ 8FE6AB59CAB8F2C038FEA9522A5EEBA7 ] EPSON_PM_RPCV4_01 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE 13:44:24.0187 5068 EPSON_PM_RPCV4_01 - ok 13:44:24.0234 5068 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll 13:44:24.0609 5068 ERSvc - ok 13:44:24.0656 5068 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe 13:44:24.0859 5068 Eventlog - ok 13:44:24.0921 5068 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll 13:44:25.0406 5068 EventSystem - ok 13:44:25.0437 5068 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys 13:44:25.0796 5068 Fastfat - ok 13:44:25.0843 5068 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll 13:44:26.0265 5068 FastUserSwitchingCompatibility - ok 13:44:26.0312 5068 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe 13:44:26.0843 5068 Fax - ok 13:44:26.0921 5068 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys 13:44:27.0171 5068 Fdc - ok 13:44:27.0218 5068 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys 13:44:27.0468 5068 Fips - ok 13:44:27.0500 5068 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys 13:44:27.0734 5068 Flpydisk - ok 13:44:27.0968 5068 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys 13:44:28.0281 5068 FltMgr - ok 13:44:28.0390 5068 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 13:44:28.0421 5068 FontCache3.0.0.0 - ok 13:44:28.0484 5068 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys 13:44:28.0921 5068 Fs_Rec - ok 13:44:28.0937 5068 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys 13:44:29.0578 5068 Ftdisk - ok 13:44:29.0625 5068 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys 13:44:30.0078 5068 Gpc - ok 13:44:30.0218 5068 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe 13:44:30.0250 5068 gupdate - ok 13:44:30.0265 5068 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe 13:44:30.0281 5068 gupdatem - ok 13:44:30.0359 5068 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe 13:44:30.0390 5068 gusvc - ok 13:44:30.0453 5068 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 13:44:30.0843 5068 HDAudBus - ok 13:44:30.0937 5068 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll 13:44:31.0234 5068 helpsvc - ok 13:44:31.0234 5068 HidServ - ok 13:44:31.0281 5068 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys 13:44:31.0656 5068 HidUsb - ok 13:44:31.0734 5068 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll 13:44:32.0125 5068 hkmsvc - ok 13:44:32.0140 5068 hpn - ok 13:44:32.0250 5068 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys 13:44:32.0484 5068 HTTP - ok 13:44:32.0546 5068 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll 13:44:32.0937 5068 HTTPFilter - ok 13:44:33.0000 5068 [ 2310CA92D37D97C9231ADF1796B47B9D ] hwdatacard C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys 13:44:33.0140 5068 hwdatacard - ok 13:44:33.0171 5068 i2omgmt - ok 13:44:33.0203 5068 i2omp - ok 13:44:33.0234 5068 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys 13:44:33.0500 5068 i8042prt - ok 13:44:33.0578 5068 [ DAF66902F08796F9C694901660E5A64A ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe 13:44:33.0718 5068 IDriverT ( UnsignedFile.Multi.Generic ) - warning 13:44:33.0718 5068 IDriverT - detected UnsignedFile.Multi.Generic (1) 13:44:33.0859 5068 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe 13:44:33.0953 5068 idsvc - ok 13:44:34.0093 5068 [ DB3C22745C0DA4666F3BE31F1AF36B2F ] IISADMIN C:\WINDOWS\system32\inetsrv\inetinfo.exe 13:44:34.0343 5068 IISADMIN - ok 13:44:34.0390 5068 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys 13:44:34.0765 5068 Imapi - ok 13:44:34.0828 5068 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe 13:44:35.0265 5068 ImapiService - ok 13:44:35.0296 5068 ini910u - ok 13:44:35.0656 5068 [ B29781B9A90CD55FC5D859C0B1C243BC ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys 13:44:36.0187 5068 IntcAzAudAddService - ok 13:44:36.0203 5068 IntelIde - ok 13:44:36.0281 5068 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys 13:44:36.0531 5068 intelppm - ok 13:44:36.0562 5068 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys 13:44:36.0906 5068 Ip6Fw - ok 13:44:36.0937 5068 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 13:44:37.0296 5068 IpFilterDriver - ok 13:44:37.0359 5068 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys 13:44:37.0750 5068 IpInIp - ok 13:44:37.0781 5068 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys 13:44:38.0062 5068 IpNat - ok 13:44:38.0078 5068 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys 13:44:38.0343 5068 IPSec - ok 13:44:38.0468 5068 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys 13:44:39.0531 5068 IRENUM - ok 13:44:39.0578 5068 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys 13:44:39.0828 5068 isapnp - ok 13:44:39.0953 5068 [ 0A5709543986843D37A92290B7838340 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe 13:44:39.0984 5068 JavaQuickStarterService - ok 13:44:40.0000 5068 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys 13:44:40.0312 5068 Kbdclass - ok 13:44:40.0343 5068 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys 13:44:40.0578 5068 kmixer - ok 13:44:40.0609 5068 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys 13:44:40.0906 5068 KSecDD - ok 13:44:40.0953 5068 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll 13:44:41.0171 5068 lanmanserver - ok 13:44:41.0203 5068 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll 13:44:41.0453 5068 lanmanworkstation - ok 13:44:41.0468 5068 lbrtfdc - ok 13:44:41.0531 5068 LightScribeService - ok 13:44:41.0593 5068 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll 13:44:41.0843 5068 LmHosts - ok 13:44:41.0921 5068 [ F622A3C0C10A26C1DC789CDEB0B2A4EB ] LMIGuardianSvc C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe 13:44:41.0968 5068 LMIGuardianSvc - ok 13:44:41.0968 5068 [ 4F69FAAABB7DB0D43E327C0B6AAB40FC ] LMIInfo C:\Program Files\LogMeIn\x86\RaInfo.sys 13:44:42.0046 5068 LMIInfo - ok 13:44:42.0062 5068 [ CE9E8BF4E9194B29767CDA90F8BDC675 ] LMIMaint C:\Program Files\LogMeIn\x86\RaMaint.exe 13:44:42.0093 5068 LMIMaint - ok 13:44:42.0125 5068 [ 4477689E2D8AE6B78BA34C9AF4CC1ED1 ] lmimirr C:\WINDOWS\system32\DRIVERS\lmimirr.sys 13:44:42.0140 5068 lmimirr - ok 13:44:42.0156 5068 LMIRfsClientNP - ok 13:44:42.0156 5068 [ 3FAA563DDF853320F90259D455A01D79 ] LMIRfsDriver C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 13:44:42.0187 5068 LMIRfsDriver - ok 13:44:42.0218 5068 [ 432618FA75B61059D2C57D6A7E55147A ] LogMeIn C:\Program Files\LogMeIn\x86\LogMeIn.exe 13:44:42.0250 5068 LogMeIn - ok 13:44:42.0343 5068 [ 38440FE1A65B1FE3D246C5C4CAD22F53 ] LVCOMSer C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe 13:44:42.0359 5068 LVCOMSer - ok 13:44:42.0390 5068 [ A6919138F29AE45E90E99FA94737E04C ] LVPr2Mon C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 13:44:42.0406 5068 LVPr2Mon - ok 13:44:42.0453 5068 [ 28BD0E4B6C050B591B8CB35B9AD284E6 ] LVPrcSrv C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe 13:44:42.0484 5068 LVPrcSrv - ok 13:44:42.0531 5068 [ 87ECCE893D8AEC5A9337B917742D339C ] LVRS C:\WINDOWS\system32\DRIVERS\lvrs.sys 13:44:42.0687 5068 LVRS - ok 13:44:42.0734 5068 [ 23F8EF78BB9553E465A476F3CEE5CA18 ] LVUSBSta C:\WINDOWS\system32\drivers\LVUSBSta.sys 13:44:42.0781 5068 LVUSBSta - ok 13:44:42.0812 5068 [ 6DFE7F2E8E8A337263AA5C92A215F161 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys 13:44:42.0828 5068 MBAMProtector - ok 13:44:42.0921 5068 [ 43683E970F008C93C9429EF428147A54 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 13:44:43.0000 5068 MBAMService - ok 13:44:43.0031 5068 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll 13:44:43.0328 5068 Messenger - ok 13:44:43.0359 5068 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys 13:44:43.0609 5068 mnmdd - ok 13:44:43.0640 5068 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe 13:44:43.0953 5068 mnmsrvc - ok 13:44:43.0968 5068 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys 13:44:44.0218 5068 Modem - ok 13:44:44.0234 5068 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys 13:44:44.0468 5068 Mouclass - ok 13:44:44.0531 5068 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys 13:44:44.0828 5068 mouhid - ok 13:44:44.0843 5068 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys 13:44:45.0187 5068 MountMgr - ok 13:44:45.0250 5068 [ D993BEA500E7382DC4E760BF4F35EFCB ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys 13:44:45.0281 5068 MpFilter - ok 13:44:45.0437 5068 [ A69630D039C38018689190234F866D77 ] MpKsl42ddbec7 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F4AAC47B-0E3E-4B7C-A2C4-FCAE8AFF1398}\MpKsl42ddbec7.sys 13:44:45.0453 5068 MpKsl42ddbec7 - ok 13:44:45.0468 5068 mraid35x - ok 13:44:45.0500 5068 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys 13:44:45.0750 5068 MRxDAV - ok 13:44:45.0843 5068 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 13:44:46.0093 5068 MRxSmb - ok 13:44:46.0125 5068 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe 13:44:46.0437 5068 MSDTC - ok 13:44:46.0468 5068 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys 13:44:46.0921 5068 Msfs - ok 13:44:46.0921 5068 MSIServer - ok 13:44:46.0953 5068 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys 13:44:47.0171 5068 MSKSSRV - ok 13:44:47.0265 5068 [ 24516BF4E12A46CB67302E2CDCB8CDDF ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe 13:44:47.0296 5068 MsMpSvc - ok 13:44:47.0312 5068 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys 13:44:47.0578 5068 MSPCLOCK - ok 13:44:47.0593 5068 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys 13:44:47.0843 5068 MSPQM - ok 13:44:47.0875 5068 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys 13:44:48.0234 5068 mssmbios - ok 13:44:48.0250 5068 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys 13:44:48.0609 5068 MSTEE - ok 13:44:48.0640 5068 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys 13:44:48.0796 5068 Mup - ok 13:44:48.0812 5068 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 13:44:49.0015 5068 NABTSFEC - ok 13:44:49.0078 5068 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll 13:44:49.0328 5068 napagent - ok 13:44:49.0359 5068 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys 13:44:49.0671 5068 NDIS - ok 13:44:49.0687 5068 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys 13:44:49.0890 5068 NdisIP - ok 13:44:49.0937 5068 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys 13:44:50.0062 5068 NdisTapi - ok 13:44:50.0093 5068 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys 13:44:50.0265 5068 Ndisuio - ok 13:44:50.0312 5068 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys 13:44:50.0500 5068 NdisWan - ok 13:44:50.0531 5068 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys 13:44:50.0703 5068 NDProxy - ok 13:44:50.0718 5068 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys 13:44:50.0859 5068 NetBIOS - ok 13:44:50.0875 5068 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys 13:44:51.0046 5068 NetBT - ok 13:44:51.0093 5068 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe 13:44:51.0281 5068 NetDDE - ok 13:44:51.0281 5068 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe 13:44:51.0453 5068 NetDDEdsdm - ok 13:44:51.0468 5068 netlimiter - ok 13:44:51.0484 5068 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe 13:44:51.0687 5068 Netlogon - ok 13:44:51.0812 5068 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll 13:44:52.0000 5068 Netman - ok 13:44:52.0046 5068 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe 13:44:52.0062 5068 NetTcpPortSharing - ok 13:44:52.0125 5068 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll 13:44:52.0156 5068 Nla - ok 13:44:52.0187 5068 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys 13:44:52.0359 5068 Npfs - ok 13:44:52.0593 5068 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys 13:44:52.0890 5068 Ntfs - ok 13:44:52.0968 5068 [ 7F1C1F78D709C4A54CBB46EDE7E0B48D ] NTIDrvr C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys 13:44:53.0015 5068 NTIDrvr ( UnsignedFile.Multi.Generic ) - warning 13:44:53.0015 5068 NTIDrvr - detected UnsignedFile.Multi.Generic (1) 13:44:53.0015 5068 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe 13:44:53.0187 5068 NtLmSsp - ok 13:44:53.0265 5068 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll 13:44:53.0718 5068 NtmsSvc - ok 13:44:53.0750 5068 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys 13:44:54.0187 5068 Null - ok 13:44:54.0218 5068 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 13:44:54.0421 5068 NwlnkFlt - ok 13:44:54.0437 5068 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 13:44:54.0687 5068 NwlnkFwd - ok 13:44:54.0890 5068 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE 13:44:54.0921 5068 odserv - ok 13:44:54.0921 5068 osaio - ok 13:44:55.0000 5068 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 13:44:55.0031 5068 ose - ok 13:44:55.0093 5068 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys 13:44:55.0328 5068 Parport - ok 13:44:55.0375 5068 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys 13:44:55.0562 5068 PartMgr - ok 13:44:55.0593 5068 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys 13:44:55.0796 5068 ParVdm - ok 13:44:55.0812 5068 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys 13:44:55.0984 5068 PCI - ok 13:44:56.0000 5068 PCIDump - ok 13:44:56.0015 5068 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys 13:44:56.0234 5068 PCIIde - ok 13:44:56.0281 5068 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys 13:44:56.0484 5068 Pcmcia - ok 13:44:56.0500 5068 PDCOMP - ok 13:44:56.0500 5068 PDFRAME - ok 13:44:56.0515 5068 PDRELI - ok 13:44:56.0531 5068 PDRFRAME - ok 13:44:56.0578 5068 [ B20F958B207E6AAAC5F70D04DD2C30D8 ] pepifilter C:\WINDOWS\system32\DRIVERS\lv302af.sys 13:44:56.0593 5068 pepifilter - ok 13:44:56.0609 5068 perc2 - ok 13:44:56.0625 5068 perc2hib - ok 13:44:56.0734 5068 [ 6B310DE726E1A0DEFD66718A7F79B5D2 ] PID_08A0 C:\WINDOWS\system32\DRIVERS\LV302AV.SYS 13:44:56.0796 5068 PID_08A0 - ok 13:44:56.0937 5068 [ DD184D9ADFE2A8A21741DBDFE9E22F5C ] PID_PEPI C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 13:44:57.0078 5068 PID_PEPI - ok 13:44:57.0109 5068 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe 13:44:57.0187 5068 PlugPlay - ok 13:44:57.0203 5068 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe 13:44:57.0359 5068 PolicyAgent - ok 13:44:57.0390 5068 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys 13:44:57.0562 5068 PptpMiniport - ok 13:44:57.0578 5068 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe 13:44:57.0750 5068 ProtectedStorage - ok 13:44:57.0765 5068 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys 13:44:57.0921 5068 PSched - ok 13:44:57.0937 5068 psdfilter - ok 13:44:57.0953 5068 psdvdisk - ok 13:44:57.0968 5068 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys 13:44:58.0171 5068 Ptilink - ok 13:44:58.0171 5068 ql1080 - ok 13:44:58.0187 5068 Ql10wnt - ok 13:44:58.0203 5068 ql12160 - ok 13:44:58.0218 5068 ql1240 - ok 13:44:58.0218 5068 ql1280 - ok 13:44:58.0250 5068 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys 13:44:58.0453 5068 RasAcd - ok 13:44:58.0609 5068 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll 13:44:58.0781 5068 RasAuto - ok 13:44:58.0812 5068 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 13:44:58.0968 5068 Rasl2tp - ok 13:44:59.0015 5068 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll 13:44:59.0218 5068 RasMan - ok 13:44:59.0218 5068 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys 13:44:59.0500 5068 RasPppoe - ok 13:44:59.0515 5068 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys 13:44:59.0718 5068 Raspti - ok 13:44:59.0750 5068 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys 13:44:59.0953 5068 Rdbss - ok 13:45:00.0000 5068 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 13:45:00.0265 5068 RDPCDD - ok 13:45:00.0312 5068 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys 13:45:00.0812 5068 rdpdr - ok 13:45:00.0875 5068 [ 6589DB6E5969F8EEE594CF71171C5028 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys 13:45:01.0140 5068 RDPWD - ok 13:45:01.0187 5068 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe 13:45:01.0421 5068 RDSessMgr - ok 13:45:01.0500 5068 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys 13:45:01.0750 5068 redbook - ok 13:45:01.0781 5068 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll 13:45:02.0203 5068 RemoteAccess - ok 13:45:02.0265 5068 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll 13:45:02.0546 5068 RemoteRegistry - ok 13:45:02.0562 5068 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe 13:45:02.0859 5068 RpcLocator - ok 13:45:02.0890 5068 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll 13:45:03.0046 5068 RpcSs - ok 13:45:03.0078 5068 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe 13:45:03.0375 5068 RSVP - ok 13:45:03.0390 5068 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe 13:45:03.0640 5068 SamSs - ok 13:45:03.0671 5068 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe 13:45:03.0906 5068 SCardSvr - ok 13:45:03.0953 5068 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll 13:45:04.0234 5068 Schedule - ok 13:45:04.0281 5068 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys 13:45:04.0625 5068 Secdrv - ok 13:45:04.0656 5068 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll 13:45:04.0937 5068 seclogon - ok 13:45:04.0968 5068 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll 13:45:05.0171 5068 SENS - ok 13:45:05.0203 5068 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys 13:45:05.0500 5068 serenum - ok 13:45:05.0531 5068 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys 13:45:05.0843 5068 Serial - ok 13:45:05.0890 5068 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys 13:45:06.0156 5068 Sfloppy - ok 13:45:06.0234 5068 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll 13:45:06.0546 5068 SharedAccess - ok 13:45:06.0578 5068 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll 13:45:06.0812 5068 ShellHWDetection - ok 13:45:06.0812 5068 Simbad - ok 13:45:06.0875 5068 [ 88F2AEBB99C5BDC2F12A1F47E5355730 ] SiS315 C:\WINDOWS\system32\DRIVERS\sisgrp.sys 13:45:07.0000 5068 SiS315 - ok 13:45:07.0046 5068 [ 37DAA9F59A3FF30A314FD98EE8F47000 ] SiSGbeXP C:\WINDOWS\system32\DRIVERS\SiSGbeXP.sys 13:45:07.0218 5068 SiSGbeXP - ok 13:45:07.0250 5068 [ 2E49C8D6057EB13AA30733CA2F592348 ] SiSkp C:\WINDOWS\system32\DRIVERS\srvkp.sys 13:45:07.0390 5068 SiSkp - ok 13:45:07.0406 5068 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys 13:45:07.0671 5068 SLIP - ok 13:45:07.0703 5068 [ DB3C22745C0DA4666F3BE31F1AF36B2F ] SMTPSVC C:\WINDOWS\system32\inetsrv\inetinfo.exe 13:45:08.0062 5068 SMTPSVC - ok 13:45:08.0093 5068 [ 60C377BE6B3CC83F6A8584934B181D2E ] SNMP C:\WINDOWS\System32\snmp.exe 13:45:08.0359 5068 SNMP - ok 13:45:08.0375 5068 [ 80A050795A107A76C2B1CD4CFBE010E6 ] SNMPTRAP C:\WINDOWS\System32\snmptrap.exe 13:45:08.0640 5068 SNMPTRAP - ok 13:45:08.0640 5068 Sparrow - ok 13:45:08.0671 5068 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys 13:45:08.0906 5068 splitter - ok 13:45:08.0953 5068 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe 13:45:09.0156 5068 Spooler - ok 13:45:09.0187 5068 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys 13:45:09.0484 5068 sr - ok 13:45:09.0515 5068 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll 13:45:09.0734 5068 srservice - ok 13:45:09.0828 5068 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys 13:45:09.0968 5068 Srv - ok 13:45:10.0015 5068 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll 13:45:10.0234 5068 SSDPSRV - ok 13:45:10.0296 5068 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll 13:45:10.0640 5068 stisvc - ok 13:45:10.0656 5068 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys 13:45:10.0859 5068 streamip - ok 13:45:10.0890 5068 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys 13:45:11.0125 5068 swenum - ok 13:45:11.0187 5068 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys 13:45:11.0453 5068 swmidi - ok 13:45:11.0468 5068 SwPrv - ok 13:45:11.0593 5068 [ 6FDA95007C483C378824F86FE351AA9C ] Symantec Core LC C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 13:45:11.0703 5068 Symantec Core LC - ok 13:45:11.0718 5068 symc810 - ok 13:45:11.0734 5068 symc8xx - ok 13:45:11.0734 5068 sym_hi - ok 13:45:11.0750 5068 sym_u3 - ok 13:45:11.0781 5068 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys 13:45:12.0000 5068 sysaudio - ok 13:45:12.0046 5068 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe 13:45:12.0296 5068 SysmonLog - ok 13:45:12.0328 5068 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll 13:45:12.0609 5068 TapiSrv - ok 13:45:12.0656 5068 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys 13:45:12.0812 5068 Tcpip - ok 13:45:12.0843 5068 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys 13:45:13.0093 5068 TDPIPE - ok 13:45:13.0140 5068 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys 13:45:13.0500 5068 TDTCP - ok 13:45:13.0546 5068 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys 13:45:13.0890 5068 TermDD - ok 13:45:13.0953 5068 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll 13:45:14.0250 5068 TermService - ok 13:45:14.0281 5068 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll 13:45:14.0468 5068 Themes - ok 13:45:14.0515 5068 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe 13:45:14.0765 5068 TlntSvr - ok 13:45:14.0765 5068 TosIde - ok 13:45:14.0812 5068 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll 13:45:15.0125 5068 TrkWks - ok 13:45:15.0171 5068 [ B3C9C35DC93563B8D19AD414EDF2FC82 ] TrueSight c:\windows\system32\drivers\TrueSight.sys 13:45:15.0296 5068 TrueSight ( UnsignedFile.Multi.Generic ) - warning 13:45:15.0296 5068 TrueSight - detected UnsignedFile.Multi.Generic (1) 13:45:15.0343 5068 [ D85938F272D1BCF3DB3A31FC0A048928 ] uagp35 C:\WINDOWS\system32\DRIVERS\uagp35.sys 13:45:15.0656 5068 uagp35 - ok 13:45:15.0703 5068 [ E0C67BE430C6DE490D6CCAECFA071F9E ] UBHelper C:\WINDOWS\system32\drivers\UBHelper.sys 13:45:15.0796 5068 UBHelper ( UnsignedFile.Multi.Generic ) - warning 13:45:15.0796 5068 UBHelper - detected UnsignedFile.Multi.Generic (1) 13:45:15.0812 5068 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys 13:45:16.0062 5068 Udfs - ok 13:45:16.0078 5068 ultra - ok 13:45:16.0125 5068 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys 13:45:16.0484 5068 Update - ok 13:45:16.0531 5068 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll 13:45:16.0875 5068 upnphost - ok 13:45:16.0906 5068 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe 13:45:17.0156 5068 UPS - ok 13:45:17.0218 5068 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys 13:45:17.0468 5068 usbaudio - ok 13:45:17.0515 5068 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys 13:45:17.0765 5068 usbccgp - ok 13:45:17.0781 5068 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys 13:45:18.0062 5068 usbehci - ok 13:45:18.0078 5068 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys 13:45:18.0312 5068 usbhub - ok 13:45:18.0375 5068 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys 13:45:18.0687 5068 usbohci - ok 13:45:18.0703 5068 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys 13:45:18.0921 5068 usbprint - ok 13:45:18.0953 5068 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys 13:45:19.0359 5068 usbscan - ok 13:45:19.0390 5068 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 13:45:19.0687 5068 USBSTOR - ok 13:45:19.0703 5068 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys 13:45:20.0000 5068 VgaSave - ok 13:45:20.0000 5068 ViaIde - ok 13:45:20.0031 5068 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys 13:45:20.0406 5068 VolSnap - ok 13:45:20.0437 5068 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe 13:45:20.0953 5068 VSS - ok 13:45:20.0984 5068 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll 13:45:21.0203 5068 W32Time - ok 13:45:21.0265 5068 [ DB3C22745C0DA4666F3BE31F1AF36B2F ] W3SVC C:\WINDOWS\system32\inetsrv\inetinfo.exe 13:45:21.0500 5068 W3SVC - ok 13:45:21.0515 5068 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys 13:45:21.0875 5068 Wanarp - ok 13:45:21.0875 5068 WDICA - ok 13:45:21.0906 5068 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys 13:45:22.0218 5068 wdmaud - ok 13:45:22.0250 5068 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll 13:45:22.0500 5068 WebClient - ok 13:45:22.0609 5068 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll 13:45:23.0000 5068 winmgmt - ok 13:45:23.0093 5068 [ 18F347402DA544A780949B8FDF83351B ] WinRM C:\WINDOWS\system32\WsmSvc.dll 13:45:23.0406 5068 WinRM - ok 13:45:23.0484 5068 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll 13:45:23.0734 5068 WmdmPmSN - ok 13:45:23.0812 5068 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll 13:45:24.0234 5068 Wmi - ok 13:45:24.0265 5068 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe 13:45:24.0734 5068 WmiApSrv - ok 13:45:24.0843 5068 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe 13:45:25.0000 5068 WMPNetworkSvc - ok 13:45:25.0078 5068 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe 13:45:25.0140 5068 WPFFontCache_v0400 - ok 13:45:25.0203 5068 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll 13:45:25.0453 5068 wscsvc - ok 13:45:25.0468 5068 WSearch - ok 13:45:25.0515 5068 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 13:45:25.0765 5068 WSTCODEC - ok 13:45:25.0812 5068 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll 13:45:26.0093 5068 wuauserv - ok 13:45:26.0156 5068 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys 13:45:26.0484 5068 WudfPf - ok 13:45:26.0531 5068 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys 13:45:26.0593 5068 WudfRd - ok 13:45:26.0625 5068 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll 13:45:26.0703 5068 WudfSvc - ok 13:45:26.0828 5068 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll 13:45:27.0015 5068 WZCSVC - ok 13:45:27.0093 5068 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll 13:45:27.0250 5068 xmlprov - ok 13:45:27.0265 5068 ================ Scan global =============================== 13:45:27.0312 5068 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll 13:45:27.0421 5068 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll 13:45:27.0468 5068 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll 13:45:27.0500 5068 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe 13:45:27.0515 5068 [Global] - ok 13:45:27.0515 5068 ================ Scan MBR ================================== 13:45:27.0546 5068 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0 13:45:27.0546 5068 Suspicious mbr (Forged): \Device\Harddisk0\DR0 13:45:27.0562 5068 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected 13:45:27.0562 5068 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0) 13:45:27.0609 5068 \Device\Harddisk0\DR0 ( TDSS File System ) - warning 13:45:27.0609 5068 \Device\Harddisk0\DR0 - detected TDSS File System (1) 13:45:27.0609 5068 ================ Scan VBR ================================== 13:45:27.0625 5068 [ C7B01142D356A5634109D83B69A6AD21 ] \Device\Harddisk0\DR0\Partition1 13:45:27.0625 5068 \Device\Harddisk0\DR0\Partition1 - ok 13:45:27.0625 5068 ============================================================ 13:45:27.0625 5068 Scan finished 13:45:27.0625 5068 ============================================================ 13:45:27.0781 5060 Detected object count: 8 13:45:27.0781 5060 Actual detected object count: 8 13:46:14.0406 5060 Afc ( UnsignedFile.Multi.Generic ) - skipped by user 13:46:14.0406 5060 Afc ( UnsignedFile.Multi.Generic ) - User select action: Skip 13:46:14.0421 5060 BVRPMPR5 ( UnsignedFile.Multi.Generic ) - skipped by user 13:46:14.0421 5060 BVRPMPR5 ( UnsignedFile.Multi.Generic ) - User select action: Skip 13:46:14.0421 5060 IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user 13:46:14.0421 5060 IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip 13:46:14.0421 5060 NTIDrvr ( UnsignedFile.Multi.Generic ) - skipped by user 13:46:14.0421 5060 NTIDrvr ( UnsignedFile.Multi.Generic ) - User select action: Skip 13:46:14.0437 5060 TrueSight ( UnsignedFile.Multi.Generic ) - skipped by user 13:46:14.0437 5060 TrueSight ( UnsignedFile.Multi.Generic ) - User select action: Skip 13:46:14.0437 5060 UBHelper ( UnsignedFile.Multi.Generic ) - skipped by user 13:46:14.0437 5060 UBHelper ( UnsignedFile.Multi.Generic ) - User select action: Skip 13:46:15.0171 5060 \Device\Harddisk0\DR0\# - copied to quarantine 13:46:15.0187 5060 \Device\Harddisk0\DR0 - copied to quarantine 13:46:15.0265 5060 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine 13:46:15.0281 5060 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine 13:46:15.0406 5060 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine 13:46:16.0015 5060 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine 13:46:16.0046 5060 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine 13:46:16.0093 5060 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine 13:46:18.0328 5060 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine 13:46:20.0281 5060 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine 13:46:20.0296 5060 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine 13:46:20.0296 5060 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine 13:46:20.0656 5060 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine 13:46:20.0734 5060 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine 13:46:20.0750 5060 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine 13:46:20.0765 5060 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine 13:46:20.0796 5060 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot 13:46:20.0796 5060 \Device\Harddisk0\DR0 - ok 13:46:20.0796 5060 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure 13:46:20.0812 5060 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user 13:46:20.0812 5060 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip 13:47:06.0656 5032 Deinitialize success
  8. Thanks for the reply MrC. I downloaded RogueKiller and tried twice to run it, it does the "prescan" and then both times I try to scan, it runs about 3/4 through the process, then shuts down + reboots the system. I did manage to see that it recognized at least 1 or 2 problem files before shutting down. No log was generated. Should I keep trying to scan with RogueKiller? Thank you. Rig,
  9. My system has been running VERY slowly lately, and I noticed when I checked the task manager, it almost always shows "svchost.exe" with a very high usage. Any help would be greatly appreciated- I scanned with MBAM and MS Security essentials, and it always come back with nothing found. Here are the logs as requested in the FAQ: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31 Run by raleigh at 10:26:52 on 2012-08-22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1078 [GMT -4:00] . AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Client\MsMpEng.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Southwest Airlines\Ding\Ding.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\logitech\quickcam\lu\lulnchr.exe c:\program files\logitech\quickcam\lu\LogitechUpdate.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Microsoft Office\Office12\WINWORD.EXE C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\SearchProtocolHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1212586949&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855 uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com mURLSearchHooks: H - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [Google Update] "c:\documents and settings\raleigh\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [RTHDCPL] RTHDCPL.EXE mRun: [skyTel] SkyTel.EXE mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe" mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe" mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [screwDrivers RDP Plugin] c:\program files\tricerat\simplify printing\screwdrivers client v4\install_rdp.exe mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBLAFQANgAyAC0AVAAwAFQAMABXAC0ARwA0ADkAOQBBAC0ATABaAEIARABRAC0AOAA2AE4AVABRAA"&"inst=NwA2AC0ANQAwADQAMgA1ADAAMgA3ADcALQBCADEALQBVADkAMAArADEALQBYAE8AMwA2ACsAMQAtAFMAVAAxACsAMgAtAFQAQgA5ACsAMgAtAE4AMQBEACsAMQAtAFAATAArADkALQBDAEkAQQA5ADAAKwAyAA"&"prod=92"&"ver=9.0.894 StartupFolder: c:\docume~1\raleigh\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe StartupFolder: c:\docume~1\raleigh\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL Trusted Zone: car-part.com\appcgi Trusted Zone: minutemanintl.com\www DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll DPF: {03A89EFD-E023-B000-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInst11.dll DPF: {03A89EFD-E023-B100-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInst11.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1343849569812 DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} - hxxp://apps.chicago.auctionsolutions.com/4.2/install/isetupml.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.0.1 TCP: Interfaces\{944D7615-AF0D-4A3E-8EA1-B969700F61B0} : DhcpNameServer = 192.168.0.1 Notify: LMIinit - LMIinit.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\raleigh\application data\mozilla\firefox\profiles\hvldi4b0.default\ FF - prefs.js: browser.search.selectedEngine - AVG Secure Search FF - prefs.js: browser.startup.homepage - www.hotmail.com FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c63e952&v=6.010.006.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q= FF - plugin: c:\documents and settings\raleigh\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll FF - plugin: c:\program files\java\jre6\bin\npoji610.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbasic.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ============= SERVICES / DRIVERS =============== . R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064] R1 MpKsl87bf129e;MpKsl87bf129e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4aac47b-0e3e-4b7c-a2c4-fcae8aff1398}\MpKsl87bf129e.sys [2012-8-22 29904] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-12-29 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-5 47640] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-28 22344] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664] S2 netlimiter;netlimiter;\??\c:\windows\system32\drivers\netlimiter.sys --> c:\windows\system32\drivers\netlimiter.sys [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-17 250056] S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\system32\drivers\cmo_bus.sys [2007-10-17 58352] S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\system32\drivers\cmo_mdfl.sys [2007-10-17 8304] S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\system32\drivers\cmo_mdm.sys [2007-10-17 93904] S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cmo_serd.sys [2007-10-17 73696] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664] S4 LMIRfsClientNP;LMIRfsClientNP; [x] . =============== Created Last 30 ================ . 2012-08-22 12:49:38 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4aac47b-0e3e-4b7c-a2c4-fcae8aff1398}\MpKsl87bf129e.sys 2012-08-21 20:45:59 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan 2012-08-21 20:45:51 -------- d-----w- c:\program files\Security Task Manager 2012-08-21 20:44:42 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4aac47b-0e3e-4b7c-a2c4-fcae8aff1398}\offreg.dll 2012-08-21 20:14:13 7023536 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f4aac47b-0e3e-4b7c-a2c4-fcae8aff1398}\mpengine.dll 2012-08-16 20:35:03 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll 2012-08-09 18:11:00 -------- d-----w- c:\documents and settings\all users\application data\Brother 2012-08-06 13:20:29 -------- d--h--w- c:\windows\PIF 2012-08-02 18:21:19 -------- d-----w- c:\documents and settings\raleigh\local settings\application data\LogMeIn Rescue Applet 2012-07-27 20:51:30 184248 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll 2012-07-27 20:51:30 184248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll . ==================== Find3M ==================== . 2012-08-15 01:07:16 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-08-15 01:07:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys 2012-06-07 00:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX 2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll 2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll 2012-06-04 21:35:26 222448 ----a-w- c:\windows\system32\muweb.dll 2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll 2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui 2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD800JD-22MSA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x898624B1]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8986993c]; MOV EAX, [0x89869ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\Harddisk0\DR0[0x8A40BAB8] 3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE140] -> \Device\00000064[0x8A42BAC8] 5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE140] -> [0x8A3DC940] \Driver\atapi[0x89C54998] -> IRP_MJ_CREATE -> 0x898624B1 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x898622E2 user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 10:29:43.67 =============== and attach.txt . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 10/16/2007 5:17:02 PM System Uptime: 8/22/2012 8:45:56 AM (2 hours ago) . Motherboard: Acer | | F671CR Processor: Intel Pentium II processor | Socket 775 | 1600/200mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 75 GiB total, 44.232 GiB free. D: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {36FC9E60-C465-11CF-8056-444553540000} Description: USB Mass Storage Device Device ID: USB\VID_04B8&PID_0838&MI_02\6&19660D7B&0&0002 Manufacturer: Compatible USB storage device Name: USB Mass Storage Device PNP Device ID: USB\VID_04B8&PID_0838&MI_02\6&19660D7B&0&0002 Service: USBSTOR . ==== System Restore Points =================== . RP1791: 6/11/2012 2:21:19 AM - System Checkpoint RP1792: 6/11/2012 3:28:01 AM - Software Distribution Service 3.0 RP1793: 6/12/2012 3:28:14 AM - Software Distribution Service 3.0 RP1794: 6/13/2012 3:00:28 AM - Software Distribution Service 3.0 RP1795: 6/13/2012 3:55:50 AM - Software Distribution Service 3.0 RP1796: 6/14/2012 3:56:04 AM - Software Distribution Service 3.0 RP1797: 6/15/2012 4:21:13 AM - System Checkpoint RP1798: 6/15/2012 9:31:10 AM - Software Distribution Service 3.0 RP1799: 6/16/2012 9:30:13 AM - Software Distribution Service 3.0 RP1800: 6/17/2012 2:23:25 AM - Software Distribution Service 3.0 RP1801: 6/17/2012 9:32:45 AM - Software Distribution Service 3.0 RP1802: 6/18/2012 9:30:28 AM - Software Distribution Service 3.0 RP1803: 6/19/2012 11:34:58 AM - System Checkpoint RP1804: 6/20/2012 11:00:17 AM - Software Distribution Service 3.0 RP1805: 6/21/2012 11:12:44 AM - System Checkpoint RP1806: 6/22/2012 1:21:57 AM - Software Distribution Service 3.0 RP1807: 6/23/2012 1:24:02 AM - System Checkpoint RP1808: 6/23/2012 2:33:00 PM - Software Distribution Service 3.0 RP1809: 6/24/2012 2:02:39 AM - Software Distribution Service 3.0 RP1810: 6/24/2012 2:32:22 PM - Software Distribution Service 3.0 RP1811: 6/25/2012 2:32:18 PM - Software Distribution Service 3.0 RP1812: 6/26/2012 2:32:09 PM - Software Distribution Service 3.0 RP1813: 6/27/2012 3:00:15 AM - Software Distribution Service 3.0 RP1814: 6/27/2012 2:32:21 PM - Software Distribution Service 3.0 RP1815: 6/28/2012 2:31:44 PM - Software Distribution Service 3.0 RP1816: 6/29/2012 3:23:39 PM - System Checkpoint RP1817: 6/30/2012 1:32:14 PM - Software Distribution Service 3.0 RP1818: 7/1/2012 1:41:37 AM - Software Distribution Service 3.0 RP1819: 7/1/2012 1:32:20 PM - Software Distribution Service 3.0 RP1820: 7/2/2012 1:53:58 PM - System Checkpoint RP1821: 7/3/2012 11:03:24 AM - Software Distribution Service 3.0 RP1822: 7/4/2012 11:02:55 AM - Software Distribution Service 3.0 RP1823: 7/5/2012 11:02:52 AM - Software Distribution Service 3.0 RP1824: 7/6/2012 11:02:52 AM - Software Distribution Service 3.0 RP1825: 7/7/2012 11:02:52 AM - Software Distribution Service 3.0 RP1826: 7/8/2012 1:32:20 AM - Software Distribution Service 3.0 RP1827: 7/8/2012 11:02:55 AM - Software Distribution Service 3.0 RP1828: 7/9/2012 11:02:28 AM - Software Distribution Service 3.0 RP1829: 7/10/2012 11:02:01 AM - Software Distribution Service 3.0 RP1830: 7/11/2012 11:03:00 AM - Software Distribution Service 3.0 RP1831: 7/12/2012 3:00:24 AM - Software Distribution Service 3.0 RP1832: 7/13/2012 3:28:03 AM - System Checkpoint RP1833: 7/13/2012 3:36:30 AM - Software Distribution Service 3.0 RP1834: 7/14/2012 3:35:29 AM - Software Distribution Service 3.0 RP1835: 7/15/2012 2:18:48 AM - Software Distribution Service 3.0 RP1836: 7/16/2012 2:27:02 AM - System Checkpoint RP1837: 7/16/2012 3:34:57 AM - Software Distribution Service 3.0 RP1838: 7/17/2012 3:38:02 AM - System Checkpoint RP1839: 7/17/2012 4:49:28 PM - Software Distribution Service 3.0 RP1840: 7/18/2012 4:45:20 PM - Software Distribution Service 3.0 RP1841: 7/19/2012 4:45:34 PM - Software Distribution Service 3.0 RP1842: 7/20/2012 4:46:04 PM - Software Distribution Service 3.0 RP1843: 7/21/2012 4:45:28 PM - Software Distribution Service 3.0 RP1844: 7/22/2012 2:15:32 AM - Software Distribution Service 3.0 RP1845: 7/22/2012 4:45:10 PM - Software Distribution Service 3.0 RP1846: 7/23/2012 4:44:03 PM - Software Distribution Service 3.0 RP1847: 7/24/2012 4:50:05 PM - Software Distribution Service 3.0 RP1848: 7/25/2012 4:49:42 PM - Software Distribution Service 3.0 RP1849: 7/26/2012 4:48:58 PM - Software Distribution Service 3.0 RP1850: 7/27/2012 4:52:11 PM - System Checkpoint RP1851: 7/27/2012 8:56:54 PM - Software Distribution Service 3.0 RP1852: 7/28/2012 8:56:32 PM - Software Distribution Service 3.0 RP1853: 7/29/2012 1:57:35 AM - Software Distribution Service 3.0 RP1854: 7/29/2012 8:56:34 PM - Software Distribution Service 3.0 RP1855: 7/30/2012 8:55:18 PM - Software Distribution Service 3.0 RP1856: 7/31/2012 8:55:37 PM - Software Distribution Service 3.0 RP1857: 8/1/2012 8:58:18 PM - Software Distribution Service 3.0 RP1858: 8/3/2012 8:46:03 AM - System Checkpoint RP1859: 8/3/2012 10:53:58 AM - Software Distribution Service 3.0 RP1860: 8/4/2012 11:01:33 AM - System Checkpoint RP1861: 8/4/2012 1:08:47 PM - Software Distribution Service 3.0 RP1862: 8/5/2012 1:51:08 AM - Software Distribution Service 3.0 RP1863: 8/5/2012 1:08:29 PM - Software Distribution Service 3.0 RP1864: 8/6/2012 9:12:15 AM - Removed TomTom HOME RP1865: 8/6/2012 9:14:01 AM - Removed Skype™ 4.2 RP1866: 8/6/2012 9:14:32 AM - Removed Skype Toolbars RP1867: 8/15/2012 3:50:33 AM - System Checkpoint RP1868: 8/15/2012 3:43:15 PM - Software Distribution Service 3.0 RP1869: 8/16/2012 4:34:51 PM - Software Distribution Service 3.0 RP1870: 8/17/2012 5:04:57 PM - System Checkpoint RP1871: 8/18/2012 6:07:51 PM - System Checkpoint RP1872: 8/19/2012 6:41:20 PM - System Checkpoint RP1873: 8/20/2012 7:28:23 PM - System Checkpoint RP1874: 8/21/2012 4:10:55 PM - Software Distribution Service 3.0 . ==== Installed Programs ====================== . Adobe AIR Adobe Flash Player 10 Plugin Adobe Flash Player 11 ActiveX Adobe Reader X (10.1.4) Adobe Shockwave Player 11.5 ArcSoft PhotoImpression 6 ArcSoft Print Creations Auction Client Critical Update for Windows Media Player 11 (KB959772) DING! EPSON CX7400 User's Guide EPSON Printer Software EPSON Scan EPSON Stylus CX7400 Series Scanner Driver Update Google Chrome Google Toolbar for Internet Explorer Google Update Helper Google Updater High Definition Audio Driver Package - KB888111 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB2570791) Hotfix for Windows XP (KB2633952) Hotfix for Windows XP (KB915800-v4) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) IGHQ IT Remote Resuce INVISION 11 Client INVISION Client Java Auto Updater Java 6 Update 3 Java 6 Update 31 Java 6 Update 5 Java 6 Update 7 LightScribe 1.4.136.1 Logitech QuickCam Logitech® Camera Driver LogMeIn Malwarebytes Anti-Malware version 1.62.0.1300 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2656353) Microsoft .NET Framework 1.1 Security Update (KB2656370) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft Application Error Reporting Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Premium Microsoft Office 2007 Service Pack 3 (SP3) Microsoft Office Excel MUI (English) 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Small Business 2007 Microsoft Office Word MUI (English) 2007 Microsoft Security Client Microsoft Security Essentials Microsoft Silverlight Microsoft Software Update for Web Folders (English) 12 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (3.5.16) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6.0 Parser (KB933579) NTI Backup NOW! 4.7 NTI CD & DVD-Maker OGA Notifier 2.0.0048.0 OpenOffice.org 3.0 Pdf995 PowerDVD QuickLink Mobile Realtek High Definition Audio Driver ScrewDrivers Client v4 (rdp only) Security Task Manager 1.8d Security Update for CAPICOM (KB931906) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition Security Update for Microsoft Windows (KB2564958) Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB2497640) Security Update for Windows Internet Explorer 8 (KB2510531) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2544521) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2647516) Security Update for Windows Internet Explorer 8 (KB2675157) Security Update for Windows Internet Explorer 8 (KB2699988) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows Search 4 - KB963093 Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2124261) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2290570) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2412687) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476490) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2479943) Security Update for Windows XP (KB2481109) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB2485663) Security Update for Windows XP (KB2491683) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2503665) Security Update for Windows XP (KB2506212) Security Update for Windows XP (KB2506223) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2507938) Security Update for Windows XP (KB2508272) Security Update for Windows XP (KB2508429) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2511455) Security Update for Windows XP (KB2524375) Security Update for Windows XP (KB2535512) Security Update for Windows XP (KB2536276-v2) Security Update for Windows XP (KB2536276) Security Update for Windows XP (KB2544893-v2) Security Update for Windows XP (KB2544893) Security Update for Windows XP (KB2555917) Security Update for Windows XP (KB2562937) Security Update for Windows XP (KB2566454) Security Update for Windows XP (KB2567053) Security Update for Windows XP (KB2567680) Security Update for Windows XP (KB2570222) Security Update for Windows XP (KB2570947) Security Update for Windows XP (KB2584146) Security Update for Windows XP (KB2585542) Security Update for Windows XP (KB2592799) Security Update for Windows XP (KB2598479) Security Update for Windows XP (KB2603381) Security Update for Windows XP (KB2618451) Security Update for Windows XP (KB2619339) Security Update for Windows XP (KB2620712) Security Update for Windows XP (KB2621440) Security Update for Windows XP (KB2624667) Security Update for Windows XP (KB2631813) Security Update for Windows XP (KB2633171) Security Update for Windows XP (KB2639417) Security Update for Windows XP (KB2641653) Security Update for Windows XP (KB2646524) Security Update for Windows XP (KB2647518) Security Update for Windows XP (KB2653956) Security Update for Windows XP (KB2655992) Security Update for Windows XP (KB2659262) Security Update for Windows XP (KB2660465) Security Update for Windows XP (KB2661637) Security Update for Windows XP (KB2676562) Security Update for Windows XP (KB2685939) Security Update for Windows XP (KB2686509) Security Update for Windows XP (KB2691442) Security Update for Windows XP (KB2695962) Security Update for Windows XP (KB2698365) Security Update for Windows XP (KB2707511) Security Update for Windows XP (KB2709162) Security Update for Windows XP (KB2718523) Security Update for Windows XP (KB2719985) Security Update for Windows XP (KB913433) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953155) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB970483) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB976323) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Shipping Assistant 3.5 Spelling Dictionaries Support For Adobe Reader 8 Spotify Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office 2007 Help for Common Features (KB963673) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687400) 32-Bit Edition Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Publisher 2007 Help (KB963667) Update for Microsoft Office Script Editor Help (KB963671) Update for Microsoft Office Word 2007 Help (KB963665) Update for Microsoft Windows (KB971513) Update for Windows Internet Explorer 8 (KB2447568) Update for Windows Internet Explorer 8 (KB971930) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Internet Explorer 8 (KB982632) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB2541763) Update for Windows XP (KB2607712) Update for Windows XP (KB2616676) Update for Windows XP (KB2641690) Update for Windows XP (KB2718704) Update for Windows XP (KB943729) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) VLC media player 1.1.11 WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Management Framework Core Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows Presentation Foundation Windows Search 4.0 Windows XP Service Pack 3 XML Paper Specification Shared Components Pack 1.0 . ==== Event Viewer Messages From Past Week ======== . 8/22/2012 10:07:08 AM, error: Print [6161] - The document Magic - Select Printer owned by raleigh failed to print on printer Brother HL-3040CN series. Data type: NT EMF 1.008. Size of the spool file in bytes: 3463376. Number of bytes printed: 3463288. Total number of pages in the document: 1. Number of pages printed: 1. Client machine: \\ACER-E355056E8B. Win32 error code returned by the print processor: 122 (0x7a). 8/21/2012 6:45:55 PM, error: Service Control Manager [7000] - The mbamchameleon service failed to start due to the following error: The system cannot find the file specified. 8/21/2012 4:51:26 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s). 8/21/2012 4:36:54 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s). 8/20/2012 4:34:36 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2201.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8007000e Error description: Not enough storage is available to complete this operation. 8/19/2012 4:34:19 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2201.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8007000e Error description: Not enough storage is available to complete this operation. 8/19/2012 2:06:07 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2201.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8007000e Error description: Not enough storage is available to complete this operation. 8/18/2012 4:34:29 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2201.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8007000e Error description: Not enough storage is available to complete this operation. 8/17/2012 4:38:06 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.131.2201.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8007000e Error description: Not enough storage is available to complete this operation. 8/16/2012 4:35:32 PM, error: PlugPlayManager [11] - The device Root\LEGACY_MPKSL72885565\0000 disappeared from the system without first being prepared for removal. 8/16/2012 4:25:04 PM, error: Service Control Manager [7000] - The osaio service failed to start due to the following error: The system cannot find the file specified. 8/16/2012 4:25:04 PM, error: Service Control Manager [7000] - The netlimiter service failed to start due to the following error: The system cannot find the file specified. 8/15/2012 10:19:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect. 8/15/2012 10:19:13 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 8/15/2012 10:18:24 PM, error: System Error [1003] - Error code 1000000a, parameter1 80b93ca0, parameter2 00000002, parameter3 00000001, parameter4 80500d12. . ==== End Of File ===========================
  10. Got everything done that you suggested, and everything seems to be good so far. THANKS for the help, I really appreciate it. Rig.
  11. Quarantine.zip Attempted to attach this zipped file to this reply- let me know if it's what you needed or not. THANKS!
  12. I just noticed that ESET found and deleted a file called "C:\Program Files\Z-Firm LLC\ShipRush v4\ShipRush4.exe ". Unless this was corrupted, this is NOT a virus or an infected file, this was a shipping tool that I used a couple of times to ship FedEx packages. Not a problem that it deleted it, I haven't used it in a while and I can easily download it again if I need it. Here's the "checkup" txt file: Results of screen317's Security Check version 0.99.10 Windows XP Service Pack 3 Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira AntiVir Personal - Free Antivirus ESET Online Scanner v3 Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner Java 6 Update 22 Java SE Runtime Environment 6 Update 1 Java 6 Update 2 Java 6 Update 3 Java 6 Update 5 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10.2.153.1 Adobe Reader 7.1.0 Out of date Adobe Reader installed! Mozilla Firefox (3.6.12) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! Avira Antivir avgnt.exe Avira Antivir avguard.exe ``````````End of Log````````````
  13. ESET Scan log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.16981 (vista_gdr.091215-2244) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=5dcefe21030df54d96c03300d13466da # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-04-28 03:35:16 # local_time=2011-04-27 11:35:16 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 2912196 2912196 0 0 # compatibility_mode=1797 16775141 100 93 0 39548563 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=92951 # found=5 # cleaned=5 # scan_time=2905 C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\52ytqx53.default\extensions\cybersearch@cybernetnews.com\defaults\preferences\prefs.js Win32/Agent.RQD.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Z-Firm LLC\ShipRush v4\ShipRush4.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0000511.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\123.js JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\535.js JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  14. MBAM Quick Scan: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6460 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 4/27/2011 10:40:33 PM mbam-log-2011-04-27 (22-40-33).txt Scan type: Quick scan Objects scanned: 153225 Time elapsed: 3 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) --------------------------------
  15. Sorry for the multiple replies, I hit <enter> too quickly after that last one. I wanted to add that I was unable to rename malwarebytes (mbam.exe) and get it to work while the pop ups were popping up. ALSO- I updated and ran a full scan with Malwarebytes after running combofix and MBAM found 3 or 4 infected files and I went ahead and deleted them at that time.
  16. Thank you screen317 for the reply. I've posted the dds.txt at the end of this post, but let me say that with the help of a local friend who is much more computer-saavy than I am, I *think* we have gotten rid of the bug. We used combofix, and it found a couple of bad files and deleted them, and since then everything has been fine (knock wood). I greatly appreciate any further input you may have on this, thanks in advance! --------------- . DDS (Ver_11-03-05.01) - NTFSx86 Run by Owner at 22:22:49.87 on Wed 04/27/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.974 [GMT -4:00] . AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Palm\HOTSYNC.EXE C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.hotmail.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [VTTimer] VTTimer.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\owner\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187193179013 DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} - hxxp://apps.chicago.auctionsolutions.com/4.2/install/isetupml.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www1.gotomeeting.com/default/applets/g2mdlax.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\52ytqx53.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s= FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext FF - Ext: CyberSearch: cybersearch@cybernetnews.com - %profile%\extensions\cybersearch@cybernetnews.com FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\owner\application data\Move Networks . ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.search.order.1 - Search FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s= FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . ============= SERVICES / DRIVERS =============== . R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-15 64288] R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-12 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-12 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-12 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-12 61960] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\owner\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\owner\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\owner\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\owner\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664] S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2007-5-31 9312] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264] . =============== Created Last 30 ================ . 2011-04-28 02:08:57 -------- d-----w- C:\e2ff17fafb7633df5cffb4 2011-04-26 05:34:00 98816 ----a-w- c:\windows\sed.exe 2011-04-26 05:34:00 89088 ----a-w- c:\windows\MBR.exe 2011-04-26 05:34:00 256512 ----a-w- c:\windows\PEV.exe 2011-04-26 05:34:00 161792 ----a-w- c:\windows\SWREG.exe 2011-04-26 04:56:55 388096 ----a-r- c:\docume~1\owner\applic~1\microsoft\installer\{0761c9a8-8f3a-4216-b4a7-b7afbf24a24a}\HiJackThis.exe 2011-04-26 04:56:54 -------- d-----w- c:\program files\TrendMicro 2011-04-26 03:52:17 21768 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2005-12-22 15:50:40 774144 ----a-w- c:\program files\RngInterstitial.dll . ============= FINISH: 22:23:48.76 ===============
  17. Apologies in advance for the multiple follow-ups, but I was able to run HijackThis using my thumbdrive transfer method, here are the results: Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 1:07:16 AM, on 4/26/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\program files\real\realplayer\update\realsched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187193179013 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://apps.chicago.auctionsolutions.com/4.2/install/isetupml.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 8881 bytes
  18. I've been doing alot of reading on this forum, as well as bleepingcomputer.com. I have tried unsuccessfully to find and stop whatever is running that is causing the problem. I did have a small bit of success with RootRepeal, but I don't know what I'm looking at. I have attached the .txt file of the RootRepeal scan. FYI, I tried scanning it a second time with Root Repeal, just to see if it gave the same results, and it popped up with an error and no results. I did this on the desktop, then copied it to the thumbdrive and transferred it to the laptop that I'm typing on now (not infected). Sorry for replying/bumping my own thread, but I thought this was something more to go on. TIA. ----------------------------------- I'm not sure if the .txt file will attach, so I cut + pasted it below this line: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2011/04/26 00:07 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: 1394BUS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS Address: 0xBA1A8000 Size: 57344 File Visible: - Signed: - Status: - Name: ABP480N5.SYS Image Path: ABP480N5.SYS Address: 0xBA370000 Size: 23552 File Visible: - Signed: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xB9F79000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2069376 File Visible: - Signed: - Status: - Name: adpu160m.sys Image Path: adpu160m.sys Address: 0xB9F00000 Size: 101888 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xB7965000 Size: 138496 File Visible: - Signed: - Status: - Name: agp440.sys Image Path: agp440.sys Address: 0xBA1B8000 Size: 42368 File Visible: - Signed: - Status: - Name: agpCPQ.sys Image Path: agpCPQ.sys Address: 0xBA1E8000 Size: 44928 File Visible: - Signed: - Status: - Name: aha154x.sys Image Path: aha154x.sys Address: 0xBA4C0000 Size: 12800 File Visible: - Signed: - Status: - Name: aic78u2.sys Image Path: aic78u2.sys Address: 0xBA108000 Size: 55168 File Visible: - Signed: - Status: - Name: aic78xx.sys Image Path: aic78xx.sys Address: 0xBA0D8000 Size: 56960 File Visible: - Signed: - Status: - Name: aliide.sys Image Path: aliide.sys Address: 0xBA5AC000 Size: 5248 File Visible: - Signed: - Status: - Name: alim1541.sys Image Path: alim1541.sys Address: 0xBA1C8000 Size: 42752 File Visible: - Signed: - Status: - Name: amdagp.sys Image Path: amdagp.sys Address: 0xBA1D8000 Size: 43008 File Visible: - Signed: - Status: - Name: AmdPPM.sys Image Path: C:\WINDOWS\system32\DRIVERS\AmdPPM.sys Address: 0xB9D29000 Size: 53248 File Visible: - Signed: - Status: - Name: amsint.sys Image Path: amsint.sys Address: 0xBA4CC000 Size: 12032 File Visible: - Signed: - Status: - Name: asc.sys Image Path: asc.sys Address: 0xBA340000 Size: 26496 File Visible: - Signed: - Status: - Name: asc3350p.sys Image Path: asc3350p.sys Address: 0xBA378000 Size: 22400 File Visible: - Signed: - Status: - Name: asc3550.sys Image Path: asc3550.sys Address: 0xBA4D0000 Size: 14848 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xB9F19000 Size: 96512 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys Address: 0xBA72E000 Size: 3072 File Visible: - Signed: - Status: - Name: avgio.sys Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys Address: 0xBA5E8000 Size: 6144 File Visible: - Signed: - Status: - Name: avgntflt.sys Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys Address: 0xAEE4B000 Size: 86016 File Visible: - Signed: - Status: - Name: avipbb.sys Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys Address: 0xB77E4000 Size: 155648 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xBA5D8000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: - Status: - Name: cbidf2k.sys Image Path: cbidf2k.sys Address: 0xBA4D8000 Size: 13952 File Visible: - Signed: - Status: - Name: cd20xrnt.sys Image Path: cd20xrnt.sys Address: 0xBA5B6000 Size: 7680 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xAE86B000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xB96BA000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xBA168000 Size: 53248 File Visible: - Signed: - Status: - Name: cmdide.sys Image Path: cmdide.sys Address: 0xBA5AE000 Size: 6656 File Visible: - Signed: - Status: - Name: cpqarray.sys Image Path: cpqarray.sys Address: 0xBA4BC000 Size: 14976 File Visible: - Signed: - Status: - Name: dac2w2k.sys Image Path: dac2w2k.sys Address: 0xB9ED4000 Size: 179584 File Visible: - Signed: - Status: - Name: dac960nt.sys Image Path: dac960nt.sys Address: 0xBA4C8000 Size: 14720 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xBA158000 Size: 36352 File Visible: - Signed: - Status: - Name: dpti2o.sys Image Path: dpti2o.sys Address: 0xBA380000 Size: 20192 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xB969A000 Size: 61440 File Visible: - Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xB77DC000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xBA7C3000 Size: 4096 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xB7798000 Size: 143744 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xBA2B8000 Size: 44544 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xB9EB4000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xBA5D6000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xB9F49000 Size: 125056 File Visible: - Signed: - Status: - Name: gagp30kx.sys Image Path: gagp30kx.sys Address: 0xBA1F8000 Size: 46464 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806D1000 Size: 131840 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xBA2D8000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xBA408000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xB8E89000 Size: 10368 File Visible: - Signed: - Status: - Name: hpn.sys Image Path: hpn.sys Address: 0xBA390000 Size: 25952 File Visible: - Signed: - Status: - Name: HSF_CNXT.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys Address: 0xB8C1C000 Size: 685056 File Visible: - Signed: - Status: - Name: HSF_DP.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys Address: 0xB8CC4000 Size: 1041536 File Visible: - Signed: - Status: - Name: HSFHWBS2.sys Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys Address: 0xB8DE6000 Size: 220032 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xAE202000 Size: 265728 File Visible: - Signed: - Status: - Name: i2omgmt.SYS Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS Address: 0xB9CC5000 Size: 8576 File Visible: - Signed: - Status: - Name: i2omp.sys Image Path: i2omp.sys Address: 0xBA350000 Size: 18560 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xB967A000 Size: 52480 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xB96CA000 Size: 42112 File Visible: - Signed: - Status: - Name: ini910u.sys Image Path: ini910u.sys Address: 0xBA4D4000 Size: 16000 File Visible: - Signed: - Status: - Name: intelide.sys Image Path: intelide.sys Address: 0xBA5B4000 Size: 5504 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xB7A08000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xBA3E0000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xAE10F000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xB8DC3000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xB9E9D000 Size: 92928 File Visible: - Signed: - Status: - Name: Lbd.sys Image Path: Lbd.sys Address: 0xBA178000 Size: 57600 File Visible: - Signed: - Status: - Name: mdmxsdk.sys Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys Address: 0xAE7EF000 Size: 11840 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xBA5DA000 Size: 4224 File Visible: - Signed: - Status: - Name: Modem.SYS Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS Address: 0xBA4A8000 Size: 30080 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xBA3D8000 Size: 23040 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: - Status: - Name: mraid35x.sys Image Path: mraid35x.sys Address: 0xBA348000 Size: 17280 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys Address: 0xAEB9E000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xB782A000 Size: 455936 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xBA418000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xB963A000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xB9CF1000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xB9DC9000 Size: 105344 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xB9DE3000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xB9D01000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xAEE3B000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xB8B77000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xBA238000 Size: 40960 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xBA288000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xB7987000 Size: 162816 File Visible: - Signed: - Status: - Name: npf.sys Image Path: C:\WINDOWS\system32\drivers\npf.sys Address: 0xB9D99000 Size: 61440 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xBA420000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xB9E10000 Size: 574976 File Visible: - Signed: - Status: - Name: ntkrnlpa.exe Image Path: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2069376 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xBA779000 Size: 2944 File Visible: - Signed: - Status: - Name: ohci1394.sys Image Path: ohci1394.sys Address: 0xBA198000 Size: 61696 File Visible: - Signed: - Status: - Name: parport.sys Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys Address: 0xB8B8E000 Size: 80128 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xBA330000 Size: 19712 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xB9F68000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xBA670000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xBA328000 Size: 28672 File Visible: - Signed: - Status: - Name: perc2.sys Image Path: perc2.sys Address: 0xBA388000 Size: 27296 File Visible: - Signed: - Status: - Name: perc2hib.sys Image Path: perc2hib.sys Address: 0xBA5B8000 Size: 5504 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2069376 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xB8BA2000 Size: 147456 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys Address: 0xB8B66000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xBA3F0000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xBA398000 Size: 19936 File Visible: - Signed: - Status: - Name: ql1080.sys Image Path: ql1080.sys Address: 0xBA128000 Size: 40320 File Visible: - Signed: - Status: - Name: ql10wnt.sys Image Path: ql10wnt.sys Address: 0xBA0E8000 Size: 33152 File Visible: - Signed: - Status: - Name: ql12160.sys Image Path: ql12160.sys Address: 0xBA148000 Size: 45312 File Visible: - Signed: - Status: - Name: ql1240.sys Image Path: ql1240.sys Address: 0xBA0F8000 Size: 40448 File Visible: - Signed: - Status: - Name: ql1280.sys Image Path: ql1280.sys Address: 0xBA138000 Size: 49024 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xB9CBD000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xB966A000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xB965A000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xB964A000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xBA3F8000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2069376 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xB789A000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xBA5DC000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xB96AA000 Size: 57600 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xAE293000 Size: 49152 File Visible: No Signed: - Status: - Name: Rtnicxp.sys Image Path: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys Address: 0xB8E1C000 Size: 105088 File Visible: - Signed: - Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS Address: 0xB9F31000 Size: 98304 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys Address: 0xB9D05000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys Address: 0xB968A000 Size: 64512 File Visible: - Signed: - Status: - Name: sparrow.sys Image Path: sparrow.sys Address: 0xBA338000 Size: 19072 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xAE58B000 Size: 357888 File Visible: - Signed: - Status: - Name: ssmdrv.sys Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys Address: 0xBA428000 Size: 23040 File Visible: - Signed: - Status: - Name: sunkfilt.sys Image Path: C:\WINDOWS\System32\Drivers\sunkfilt.sys Address: 0xBA438000 Size: 24640 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xBA5D0000 Size: 4352 File Visible: - Signed: - Status: - Name: sym_hi.sys Image Path: sym_hi.sys Address: 0xBA360000 Size: 28384 File Visible: - Signed: - Status: - Name: sym_u3.sys Image Path: sym_u3.sys Address: 0xBA368000 Size: 30688 File Visible: - Signed: - Status: - Name: symc810.sys Image Path: symc810.sys Address: 0xBA4C4000 Size: 16256 File Visible: - Signed: - Status: - Name: symc8xx.sys Image Path: symc8xx.sys Address: 0xBA358000 Size: 32640 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xAECAB000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xB79AF000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xBA3E8000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xBA228000 Size: 40704 File Visible: - Signed: - Status: - Name: toside.sys Image Path: toside.sys Address: 0xBA5B0000 Size: 4992 File Visible: - Signed: - Status: - Name: ultra.sys Image Path: ultra.sys Address: 0xBA118000 Size: 36736 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xB8ACD000 Size: 384768 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xBA5D2000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xBA3D0000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xBA258000 Size: 59520 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xB8BF8000 Size: 147456 File Visible: - Signed: - Status: - Name: USBSTOR.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS Address: 0xBA440000 Size: 26368 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xBA4B0000 Size: 20608 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xBA410000 Size: 20992 File Visible: - Signed: - Status: - Name: viaagp.sys Image Path: viaagp.sys Address: 0xBA188000 Size: 42240 File Visible: - Signed: - Status: - Name: viaagp1.sys Image Path: viaagp1.sys Address: 0xBA3A0000 Size: 27904 File Visible: - Signed: - Status: - Name: viaide.sys Image Path: viaide.sys Address: 0xBA5B2000 Size: 5376 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xB8E36000 Size: 81920 File Visible: - Signed: - Status: - Name: vinyl97.sys Image Path: C:\WINDOWS\system32\drivers\vinyl97.sys Address: 0xB8BC6000 Size: 204672 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: - Status: - Name: vtdisp.dll Image Path: C:\WINDOWS\System32\vtdisp.dll Address: 0xBF012000 Size: 3457024 File Visible: - Signed: - Status: - Name: vtmini.sys Image Path: C:\WINDOWS\system32\DRIVERS\vtmini.sys Address: 0xB8E4A000 Size: 173696 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys Address: 0xBA2C8000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xBA490000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xAEAC1000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1859584 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1859584 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2069376 File Visible: - Signed: - Status: -
  19. My desktop PC running Windows XP Home edition is infected with the fake XP Home Security virus. It will not allow me to do anything with Malwarebytes. I tried to download MBAM to a thumb drive and tried to run it from that, but couldn't do anything, even after renaming from MBAM.exe to another name, and starting in Safe mode. I can't even get onto this forum from that desktop, it throws up a couple of popups and then says it's scanning the system and finds a bunch of malware + spyware. I'm using our laptop which is in the next room from the desktop. Sorry I didn't start out by posting any logs, but I can't figure out how to get anything to work on the desktop- even in safe mode. I did figure out that one of the problem programs shows up as "gcc.exe" on the windows task manager screen, but only shows up as this when I'm in safe mode- otherwise it seems to use different names and I cannot pinpoint which one it is. Any help would be greatly appreciated. TIA. Rig.
  20. Did this ^ and then went to Administrative Services under Control Panel, etc and started printer spooler and everything seems to be back to normal once again. THANKS!!!!!!
  21. Here's the SystemLook log: SystemLook 04.09.10 by jpshortstuff Log created at 09:20 on 04/12/2010 by Owner Administrator - Elevation successful ========== filefind ========== Searching for "spoolsv.exe" C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe --a---- 58880 bytes [13:19 17/08/2010] [13:19 17/08/2010] 258DD5D4283FD9F9A7166BE9AE45CE73 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe --a---- 57856 bytes [00:17 11/06/2005] [00:17 11/06/2005] AD3D9D191AEA7B5445FE1D82FFBB4788 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe -----c- 57856 bytes [14:46 27/08/2008] [23:53 10/06/2005] DA81EC57ACD4CDC3D4C51CF3D409AF9F C:\WINDOWS\$NtUninstallKB2347290$\spoolsv.exe -----c- 57856 bytes [07:06 16/09/2010] [00:12 14/04/2008] D8E14A61ACC1D4A6CD0D38AEBAC7FA3B C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe -----c- 57856 bytes [04:41 18/09/2005] [19:00 04/08/2004] 7435B108B935E42EA92CA94F59C8E717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe ------- 57856 bytes [23:28 21/08/2008] [00:12 14/04/2008] D8E14A61ACC1D4A6CD0D38AEBAC7FA3B C:\WINDOWS\system32\dllcache\spoolsv.exe --a--c- 58880 bytes [16:12 26/08/2004] [13:17 17/08/2010] 60784F891563FB1B767F70117FC2428F -= EOF =-
  22. I had some virus/malware problems that were causing my system to shut down when trying to update MBAM. LDTate on this board graciously helped me with the removal, but now my printer is not working. Here's my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:17:09 PM, on 12/3/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\WINDOWS\is-V5BL6.exe" /REG /REGSVRMODE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187193179013 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://apps.chicago.auctionsolutions.com/4...ll/isetupml.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: Trend Micro RUBotted Service - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe -- End of file - 9636 bytes I tried these instructions below, as given in a related thread, but it did not work. "start>control panel>administrative Tools>Services> scroll down to print spooler>right click it>click properties>make sure you are on the general tab> go down to startup type and make sure its on automatic>then hit apply> Note: If the service shows Stopped, start it. then click the start button under the service status>apply again>hit OK. now exit all of the services and administrative tools and go to where your printer and faxes are located and now try to install a printer or try to print." --------- This is the error message I got: "Could not start the printer spooler on Local Computer. Error 2 : the system cannot find the specified file"
  23. Did a successful quick scan with MBAM. Any idea what the problem was?? Thanks a million for your help!!!!
  24. WOOT!! I just updated successfully, went from version 4052 to 5203. I'll be offline for a few while I run a quick scan. I'll report back as soon as it's done. Thanks!!
  25. Newest ComboFix log: ComboFix 10-11-27.01 - Owner 11/27/2010 22:14:11.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.1036 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} file zipped: c:\documents and settings\Owner\Application Data\sdfsf.bat file zipped: c:\windows\system32\drivers\btndwf.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Application Data\sdfsf.bat c:\windows\system32\drivers\btndwf.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_btndwf -------\Service_btndwf ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 ))))))))))))))))))))))))))))))) . 2010-11-26 03:42 . 2010-11-26 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan 2010-11-26 03:42 . 2010-11-26 03:42 -------- d-----w- c:\program files\Security Task Manager 2010-11-24 14:45 . 2010-11-24 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro 2010-11-17 22:53 . 2005-09-16 16:46 44224 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS 2010-11-16 22:27 . 2010-11-16 22:27 -------- d-----w- c:\program files\RootkitBuster_2.80.1077 2010-11-16 22:27 . 2010-11-16 22:27 -------- d-----w- c:\program files\WinPcap 2010-11-16 22:26 . 2010-11-27 23:09 -------- d-----w- c:\program files\Trend Micro 2010-11-16 05:37 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-11-16 03:14 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-11-16 03:14 . 2010-11-16 03:14 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-11-16 03:11 . 2010-11-16 03:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software 2010-11-16 02:41 . 2010-11-16 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-11-16 02:41 . 2010-11-16 02:41 -------- d-----w- c:\program files\Lavasoft 2010-11-16 02:36 . 2010-11-16 02:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097} 2010-11-16 02:16 . 2010-11-16 02:16 -------- d-----w- c:\documents and settings\Owner\Application Data\MSNInstaller 2010-11-16 00:56 . 2004-08-04 19:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll 2010-11-16 00:56 . 2004-08-04 19:00 6656 ----a-w- c:\windows\system32\c_is2022.dll 2010-11-16 00:54 . 2010-11-16 02:12 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit 2010-11-16 00:54 . 2010-11-16 00:54 -------- d-----w- c:\program files\IObit 2010-11-16 00:25 . 2010-11-16 00:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-11-16 00:23 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys 2010-11-16 00:23 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys 2010-11-15 20:23 . 2010-11-15 20:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-11-15 20:21 . 2010-11-16 00:25 -------- d-----w- c:\program files\Panda Security 2010-11-14 23:36 . 2010-11-16 04:01 -------- d-----w- c:\program files\SpywareBlaster 2010-11-14 23:21 . 2010-11-14 23:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2010-11-14 23:21 . 2010-11-14 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-11-14 23:20 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2010-11-14 23:20 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2010-11-14 23:19 . 2008-04-13 19:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys 2010-11-14 23:19 . 2008-04-13 19:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys 2010-11-14 23:19 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll 2010-11-14 23:19 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2010-11-14 23:16 . 2008-04-14 01:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll 2010-11-14 23:16 . 2008-04-14 01:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll 2010-11-14 23:16 . 2008-04-14 01:12 43008 ----a-w- c:\windows\system32\ksxbar.ax 2010-11-14 23:16 . 2008-04-14 01:12 91136 ----a-w- c:\windows\system32\kswdmcap.ax 2010-11-14 23:16 . 2008-04-14 01:12 61952 ----a-w- c:\windows\system32\kstvtune.ax 2010-11-14 23:16 . 2008-04-14 01:12 20992 ----a-w- c:\windows\system32\dshowext.ax 2010-11-14 23:15 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys 2010-11-14 23:15 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys 2010-11-13 17:01 . 2010-11-13 21:11 -------- d-----w- c:\documents and settings\Administrator 2010-11-13 02:53 . 2010-11-27 20:57 -------- d-----w- c:\windows\system32\NtmsData 2010-11-13 02:52 . 2010-11-13 02:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira 2010-11-13 02:43 . 2010-11-23 01:18 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-13 02:43 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-11-13 02:43 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-11-13 02:43 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-11-13 02:43 . 2010-11-13 02:43 -------- d-----w- c:\program files\Avira 2010-11-13 02:43 . 2010-11-13 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2010-11-11 20:52 . 2010-11-11 20:52 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-11-11 13:48 . 2010-11-12 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\aHbMb02039 2010-11-11 13:48 . 2010-11-11 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2004-08-26 16:11 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-26 16:11 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-26 16:11 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-26 16:11 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 09:50 . 2010-05-13 02:34 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-15 07:29 . 2007-04-23 13:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-10 05:58 . 2004-08-26 16:12 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-26 16:11 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-26 16:11 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-26 16:12 1852800 ----a-w- c:\windows\system32\win32k.sys 2005-12-22 15:50 . 2005-12-23 05:39 774144 ----a-w- c:\program files\RngInterstitial.dll . ------- Sigcheck ------- [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe [7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe c:\windows\System32\spoolsv.exe ... is missing !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-04 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "VTTimer"="VTTimer.exe" [2005-03-08 53248] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "SoundMan"="SOUNDMAN.EXE" [2003-12-09 67584] "hplampc"="c:\windows\system32\hplampc.exe" [2002-01-17 40448] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-16 198160] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768] "Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-10-11 1103184] c:\documents and settings\Owner\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2003-4-22 299008] OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "c:\\Program Files\\Common Files\\AOL\\1122639952\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\Program Files\\Auction Client\\RingStart.exe"= "c:\\Program Files\\Common Files\\AOL\\1122639952\\EE\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1122639952\\EE\\aim6.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Palm\\HOTSYNC.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/15/2010 10:14 PM 64288] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/12/2010 9:43 PM 135336] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704] R2 Trend Micro RUBotted Service;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [11/16/2010 5:26 PM 431440] S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?] S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 7:36 PM 135664] S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [5/31/2007 9:32 PM 9312] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 2:46 AM 1375992] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 2:46 AM 15264] . Contents of the 'Scheduled Tasks' folder 2010-11-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 03:20] 2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 00:36] 2010-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 00:36] 2005-09-16 c:\windows\Tasks\ISP signup reminder 3.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hotmail.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\52ytqx53.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s= FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Extension: CyberSearch: cybersearch@cybernetnews.com - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\52ytqx53.default\extensions\cybersearch@cybernetnews.com FF - Extension: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\52ytqx53.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79} FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Owner\Application Data\Move Networks ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - false FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.search.order.1 - Search FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: keyword.URL - hxxp://search.fresh-search.net/?sid=10101069100&s= FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-27 22:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2744) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Common Files\aolshare\aolshcpy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\VTTimer.exe c:\windows\SOUNDMAN.EXE c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Microsoft ActiveSync\Wcescomm.exe c:\program files\OpenOffice.org 2.0\program\soffice.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\MICROS~4\rapimgr.exe c:\program files\OpenOffice.org 2.0\program\soffice.BIN c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\System32\snmp.exe . ************************************************************************** . Completion time: 2010-11-27 22:25:53 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-28 03:25 ComboFix2.txt 2010-11-28 02:48 ComboFix3.txt 2010-11-28 02:19 ComboFix4.txt 2010-11-28 01:47 Pre-Run: 135,747,559,424 bytes free Post-Run: 135,636,561,920 bytes free - - End Of File - - A936E48DD9C1A5133A00C8CDC6DA8932
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.