rysktkr

My daughter laptop had some infections detected by MWB. However, it is still running slow. Additionally, I have another PC on my home network that is infected with zeroaccess infection that has been insserted into tcp/ip stack. I'm not sure if this may have propagated to her laptop. Here is hjt log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:34:02 PM, on 6/27/2012 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16446) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Apoint2K\Apoint.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Windows\System32\wpcumi.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe C:\Program Files\CyberLink\Shared Files\brs.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Users\Fallon\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Windows\system32\Taskmgr.exe C:\Program Files\Registry Mechanic\upgrade.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe O4 - HKLM\..\Run: [skytel] Skytel.exe O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe" O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe" O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [sSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKUS\S-1-5-21-1998233532-487228089-2655391932-1000\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Fallon') O4 - HKUS\S-1-5-21-1998233532-487228089-2655391932-1000\..\Run: [Acer Tour Reminder] (User 'Fallon') O4 - HKUS\S-1-5-21-1998233532-487228089-2655391932-1000\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Fallon') O4 - HKUS\S-1-5-21-1998233532-487228089-2655391932-1000\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Fallon') O4 - S-1-5-21-1998233532-487228089-2655391932-1000 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Fallon') O4 - S-1-5-21-1998233532-487228089-2655391932-1000 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Fallon') O4 - Global Startup: Empowering Technology Launcher.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} (P3DActiveX Control) - http://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingbox.com/downloads/pc/1.4.0.85/WebSlingPlayer.cab O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - AppInit_DLLs: C:\Windows\System32\eNetHook.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 11880 bytes

Also, how do i prevent this from spreading to other PCs on my home network. Daughter's laptop and HTPC I have found infections with similiar symptoms. They both accessed shared drive on zeroaccess infected computer (the one we are working on this thread). My wifes computer is clean, at least as far as MWB and eset scans. She hasn't accessed infected computer. I'm guessing the answer is to turn off sharing until all computers are clean?

Unfortunately, running combofix in normal mode it hung the computer. Before it hung, a dialog box appeared saying I was infected with zeroaccess infection.

That worked! Below is the log: ComboFix 12-06-27.01 - Mark 06/27/2012 10:39:02.10.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2595 [GMT -7:00] Running from: c:\documents and settings\Mark\desktop\ComboFix.exe Command switches used :: /nombr AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\22500634ug8u87c8e64k6l3sf3v c:\documents and settings\All Users\Application Data\kpI0dn6tFIoruY c:\documents and settings\All Users\Application Data\l0gdw4nUSn3xA4 c:\documents and settings\All Users\Application Data\l0gdw4nUSn3xA4.exe c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\PostBuild.exe c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\Setup.ilg c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\PostBuild.exe c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\Setup.exe c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe c:\documents and settings\All Users\Application Data\TEMP\{E8C64028-08E5-4BF0-B1C0-DBAAC6A77DF1}\PostBuild.exe c:\documents and settings\Mark\Application Data\Gomodu c:\documents and settings\Mark\Application Data\Gomodu\ywnui.exe c:\documents and settings\Mark\Application Data\Isar c:\documents and settings\Mark\Application Data\Isar\pudy.exe c:\documents and settings\Mark\Application Data\Soavw c:\documents and settings\Mark\Application Data\Soavw\ockec.adl c:\documents and settings\Mark\Desktop\Data_Recovery.lnk c:\documents and settings\Mark\Local Settings\Application Data\ummcbzl.exe c:\documents and settings\Mark\My Documents\~WRL1063.tmp c:\documents and settings\Mark\My Documents\~WRL1136.tmp c:\documents and settings\Mark\My Documents\~WRL1308.tmp c:\documents and settings\Mark\My Documents\~WRL1422.tmp c:\documents and settings\Mark\My Documents\~WRL2838.tmp c:\documents and settings\Mark\My Documents\~WRL3027.tmp c:\documents and settings\Mark\My Documents\~WRL3959.tmp c:\documents and settings\Mark\My Documents\~WRL4047.tmp C:\NPE.exe c:\windows\system32\cttype.nls c:\windows\system32\dllcache\dlimport.exe . . ((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 ))))))))))))))))))))))))))))))) . . 2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- c:\documents and settings\Mark\Application Data\Ozbuir 2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- C:\Reg_Backup 2012-06-27 15:40 . 2012-06-27 16:08 181064 ----a-w- c:\windows\PSEXESVC.EXE 2012-06-27 15:38 . 2012-06-27 15:49 -------- d-----w- c:\documents and settings\Mark\Application Data\Taubox 2012-06-27 15:38 . 2012-06-27 15:38 -------- d-----w- c:\documents and settings\Mark\Application Data\Arpy 2012-06-27 15:38 . 2012-06-27 15:42 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs 2012-06-26 17:40 . 2012-06-26 18:06 -------- d-----w- C:\fred 2012-06-26 15:51 . 2012-06-26 15:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-06-26 14:35 . 2012-06-26 14:35 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\Google 2012-06-26 14:21 . 2012-06-26 14:21 -------- d-----w- c:\program files\Trend Micro 2012-06-26 02:30 . 2012-06-26 02:30 -------- d-----w- c:\documents and settings\Administrator.MYPC\Application Data\Malwarebytes 2012-06-26 02:28 . 2012-06-26 02:28 388096 ----a-r- c:\documents and settings\Administrator.MYPC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-06-26 02:23 . 2012-06-26 02:23 -------- d-sh--w- c:\documents and settings\Administrator.MYPC\IETldCache 2012-06-25 22:35 . 2012-06-25 22:43 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\NPE 2012-06-25 22:35 . 2012-06-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-06-25 15:04 . 2012-06-25 15:04 607260 ------r- C:\dds.scr 2012-06-07 18:14 . 2012-06-07 18:14 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll 2012-06-07 18:14 . 2012-06-07 18:14 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-06-05 04:49 . 2012-06-05 04:49 -------- d-----w- c:\documents and settings\Mark\Application Data\FreeArc 2012-06-05 04:46 . 2012-06-05 04:46 -------- d-----w- c:\windows\system32\3081 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-27 15:10 . 2012-05-05 16:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-27 15:10 . 2011-05-20 18:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-27 15:10 . 2012-05-05 17:10 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2012-06-02 22:19 . 2008-10-16 21:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 22:19 . 2009-04-12 00:25 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 22:19 . 2009-04-12 00:25 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 22:19 . 2009-04-12 00:25 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 22:19 . 2009-04-12 00:25 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2009-04-12 00:25 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2008-10-16 21:09 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 22:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 22:19 . 2008-10-16 21:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 22:19 . 2009-04-12 00:25 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2009-04-12 00:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_6.exe 2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_5.exe 2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys 2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-04 22:56 . 2011-07-28 14:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-07 18:14 . 2012-05-14 15:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336] "BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048] "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272] "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080] . c:\documents and settings\Mark\Start Menu\Programs\Startup\ Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableRegedit"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\ArcSoft\\TotalMedia Theatre 5\\TotalMedia Server\\TM Server.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 5:49 PM 113904] R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 9:53 AM 96512] R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 9:10 AM 192504] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632] R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 5:49 PM 79616] R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 9:29 PM 87536] R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 5:53 PM 87536] R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 3:58 PM 20328] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 335888] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 3:01 PM 462632] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/22/2011 4:52 PM 2214504] R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 2:00 PM 12992] R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 8:20 AM 46000] R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 5:49 PM 1990656] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120] R2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 3:26 PM 69632] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 10:02 AM 66944] R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 5:49 PM 61952] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2012 7:20 PM 106656] R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 2:00 PM 10168] R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/25/2010 12:43 AM 6272] R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/25/2010 12:43 AM 500480] S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?] S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104] S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/5/2012 9:36 AM 250056] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 8:45 AM 1684736] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 9:11 AM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 9:11 AM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/26/2012 8:51 AM 40776] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 8:38 AM 113120] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 9:59 PM 47360] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872] S4 RARfsClientNP;RARfsClientNP; [x] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 15:10] . 2012-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34] . 2012-06-26 c:\windows\Tasks\At1.job - c:\windows\system32\rasphonne.exe [2004-08-04 00:12] . 2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2012-06-27 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 192.168.1.1 DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q= FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . HKCU-Run-Codexii - c:\documents and settings\Mark\Application Data\Gomodu\ywnui.exe AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Mark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-27 11:27 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . c:\windows\system32\wuauclt.exe [3576] 0x8722E020 . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(820) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'lsass.exe'(876) c:\windows\system32\RARfsClientNP.dll . Completion time: 2012-06-27 11:44:40 ComboFix-quarantined-files.txt 2012-06-27 18:44 ComboFix2.txt 2011-12-20 00:00 . Pre-Run: 223,872,761,856 bytes free Post-Run: 238,820,614,144 bytes free . - - End Of File - - 481BF3507BE7909831EB576D9B18FEAC

No Luck . I tried combofix in safe mode several times and hung the computer. Even tried letting it run over night.

Well I ran combofix twice both times it hung the computer. It mentioned that I had ZeroAccess and that it was inserted into the TCP/IP stack. I am hoping that doesn't imply that it could of spread itself to other computers on my home network.

Just got your latest post yikes! If I opt to attempt cleanup rather than nuke and pave what are my chances this rootkit is removed? 70%, 50%, etc?

Actually, was now able to delete C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe. Whatever, infection I have it turned file view back to "Do not show hidden files and folders". I was able to switch it back and delete it. Unfortunately it looks like all file and folder attributes were changed to "hidden" on all my drives.

Hi MrCharlie, I accomplished everything requested with the exception of: Delete this file: C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe While HJT was running I opened up a windows explorer and could see this file. I waited for HJT to complete before trying to delete. Once HJT was finished I could not see any files in the C drive. Note this has been the case during this infection. Here is the log you requested. RogueKiller V7.6.0 [06/26/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: Administrator [Admin rights] Mode: Scan -- Date: 06/26/2012 07:41:29 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 2 ¤¤¤ [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [APPINIT_DLL] HKLM\[...]\Windows : AppInit_DLLs (C:\WINDOWS\system32 acaptuser32.dll) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\U --> FOUND ¤¤¤ Driver: [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x80637C36 -> HOOKED (Unknown @ 0x875185C0) SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x87519260) SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x875185F8) SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x8A048920) SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x874E1420) SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x87523770) SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x8A085E00) SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x8A085EC0) SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x874C9838) SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x8A048860) SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x8A062500) SSDT[129] : NtOpenThreadToken @ 0x805746D2 -> HOOKED (Unknown @ 0x8A083EF0) SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x8A05CCB0) SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (Unknown @ 0x8A05ADC0) SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x8A083FC0) SSDT[229] : NtSetInformationThread @ 0x80576ABD -> HOOKED (Unknown @ 0x8A083678) SSDT[253] : NtSuspendProcess @ 0x80637B7B -> HOOKED (Unknown @ 0x8A0487A0) SSDT[254] : NtSuspendThread @ 0x80637A97 -> HOOKED (Unknown @ 0x87521120) SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x8A087498) SSDT[258] : NtTerminateThread @ 0x80582DD9 -> HOOKED (Unknown @ 0x88A13D90) SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x8A05C258) SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x87523840) IRP[iRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS5C3020ALA632 +++++ --- User --- [MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69 [bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] 832b7b432331ebc868a045aad743990a [bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo 1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 3907024065 | Size: 2 Mo +++++ PhysicalDrive1: ST3500630AS +++++ --- User --- [MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69 [bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] 1406de26d4acd19c9b0ddec378f968d3 [bSP] 93a4ad19c181e7d325737ffc772b14db : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo +++++ PhysicalDrive2: WDC WD7500AADS-00L5B1 +++++ --- User --- [MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69 [bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] c83fcee3155eb6114d8c84d54c112317 [bSP] eaf482a9766f3000634a695d502e8c7f : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 715402 Mo +++++ PhysicalDrive3: SATA ST3320620AS SCSI Disk Device +++++ --- User --- [MBR] 0326145d3c46a04484f1aa0bb439fb72 [bSP] 6367311c297c53c8fa575c4c03192a94 : Windows XP MBR Code Partition table: 0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt

My SEP detected Bloodhound.MalPE but was unable to remove it. I ran Malwarebytes it detected several viruses and trojans. Unfortunately the removal was not successful and I can't even run it anymore. I tried running DDS to get a log but it freezes everytime in the progress location. I was able to get a successful HJT log below: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 7:29:29 PM, on 6/25/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\windows\system32\spoolsv.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\windows\system32\svchost.exe C:\windows\system32\svchost.exe C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Nero\Update\NASvc.exe C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe C:\windows\System32\svchost.exe C:\windows\system32\nvsvc32.exe C:\windows\System32\svchost.exe C:\Program Files\RemotelyAnywhere\x86\RaMaint.exe C:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe C:\Program Files\Cyberlink\Shared files\RichVideo.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe C:\Program Files\VERIZONDM\bin\sprtsvc.exe C:\windows\system32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\VERIZONDM\bin\tgsrvc.exe C:\windows\System32\vssvc.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\vsnapvss.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\iPod\bin\iPodService.exe C:\windows\System32\svchost.exe C:\windows\System32\msiexec.exe C:\WINDOWS\system32\msiexec.exe C:\windows\System32\msiexec.exe I:\hjt\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe O4 - HKLM\..\Run: [NBAgent] "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe" O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [updatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector10" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\10.0" O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot O4 - HKLM\..\Run: [GiBbQUEPdGQQTat.exe] C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t O4 - HKCU\..\RunOnce: [*NPE] "I:\NPE.exe" /POSTADVSCAN O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [DAEMON Tools Lite] "C:\util\DAEMON Tools Lite\DTLite.exe" -autorun (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [Google Update] "C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mark') O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (User 'Mark') O4 - S-1-5-21-1960408961-1303643608-839522115-1003 Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe (User 'Mark') O4 - S-1-5-21-1960408961-1303643608-839522115-1003 User Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe (User 'Mark') O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab O16 - DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} (SlingHealth Class) - http://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingbox.com/downloads/pc/1.4.0.115/WebSlingPlayer.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - http://mypc:2000/activex/RACtrl.cab O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32 acaptuser32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1ca0bc6b51516ae) (gupdate1ca0bc6b51516ae) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IHA_MessageCenter - Verizon - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\x86\RaMaint.exe O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe O23 - Service: StorageCraft Image Manager - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ImageManager\ImageManager.exe O23 - Service: StorageCraft Image Manager (StorageCraft Image Manager32) - Unknown owner - C:\WINDOWS\system32\ntsdexts32.exe (file missing) O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\WINDOWS\system32\vsnapvss.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 18520 bytes

Dear Elise, Thank you so much for helping remove the malware! Happy Holidays! -Mark

Hi Elise, ESET founf no threats. Also, here is my mbam log. It also appears to be clean. PC seems to be running normally now. Does this mean it is safe to enter financial data (ie, quicken, credet card info, etc.) on this PC? Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 911122102 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/21/2011 2:59:29 AM mbam-log-2011-12-21 (02-59-29).txt Scan type: Full scan (C:\|F:\|G:\|I:\|) Objects scanned: 846586 Time elapsed: 4 hour(s), 8 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

I no longer am being redirected. The last combofix run seems to have fixed it!

Had several popups regarding windows explorer fatal erros but no zero access errors. ComboFix 11-12-19.03 - Mark 12/19/2011 15:07:30.8.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2603 [GMT -8:00] Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 ))))))))))))))))))))))))))))))) . . 2011-12-19 18:13 . 2011-12-19 18:13 -------- d-----w- c:\windows\LastGood 2011-12-19 18:04 . 2011-12-19 18:06 -------- d-----w- C:\b26736e4fd7378b6628a4b 2011-12-18 01:50 . 2011-12-18 01:50 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Solid State Networks 2011-12-17 03:20 . 2011-12-17 03:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Sun 2011-12-15 23:31 . 2011-12-16 00:20 -------- d-----w- C:\relief 2011-12-13 16:20 . 2011-12-13 16:20 -------- d-----w- C:\_OTL 2011-12-12 18:36 . 2011-12-12 18:36 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Sun 2011-12-12 14:52 . 2011-12-12 14:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun 2011-12-11 23:56 . 2011-12-11 23:56 -------- d-----w- c:\program files\Common Files\Java 2011-12-11 23:56 . 2011-12-11 23:56 128000 ----a-w- c:\windows\system32\javacpl.cpl 2011-12-08 07:55 . 2011-12-08 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-12-08 05:10 . 2011-12-08 05:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2011-12-08 04:04 . 2011-12-08 04:04 -------- d-----w- c:\program files\ESET 2011-11-25 19:47 . 2011-11-25 19:47 -------- d-----w- c:\program files\iPod 2011-11-25 19:47 . 2011-11-25 19:48 -------- d-----w- c:\program files\iTunes 2011-11-25 19:43 . 2011-11-25 19:43 -------- d-----w- c:\program files\Bonjour 2011-11-25 17:51 . 2011-11-25 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RosettaStoneLtdBackup . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-19 18:07 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-12-17 19:26 . 2011-05-20 18:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-12-16 00:43 . 2011-12-16 00:43 10283 ----a-w- C:\ComboFix.zip 2011-12-11 23:56 . 2011-08-18 22:04 544656 ----a-w- c:\windows\system32\deployJava1.dll 2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe 2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe 2011-10-10 14:22 . 2009-04-12 00:25 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 18:41 . 2007-10-09 20:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-11-22 17:49 . 2011-05-26 15:43 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot_2011-12-16_19.43.18 ))))))))))))))))))))))))))))))))))))))))) . + 2011-12-19 18:09 . 2011-12-19 18:09 16384 c:\windows\temp\Perflib_Perfdata_970.dat + 2011-12-19 18:12 . 2011-12-19 18:12 16384 c:\windows\temp\Perflib_Perfdata_5d0.dat + 2010-03-10 01:36 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll - 2010-03-10 01:36 . 2011-08-12 20:51 17272 c:\windows\system32\spmsg.dll - 2004-08-04 12:00 . 2011-12-11 17:02 84566 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2011-12-19 18:03 84566 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll - 2004-08-04 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll + 2011-12-11 17:00 . 2011-12-11 17:00 69120 c:\windows\assembly\temp\8RATCM5OYH\CustomMarshalers.dll + 2011-12-19 18:02 . 2011-12-19 18:02 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll - 2011-12-11 17:00 . 2011-12-11 17:00 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll - 2011-12-11 17:00 . 2011-12-11 17:00 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll + 2011-12-19 18:02 . 2011-12-19 18:02 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll + 2011-12-19 18:02 . 2011-12-19 18:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll - 2011-12-11 17:01 . 2011-12-11 17:01 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll - 2011-12-11 17:00 . 2011-12-11 17:00 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll + 2011-12-19 18:02 . 2011-12-19 18:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll - 2011-12-11 17:01 . 2011-12-11 17:01 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll + 2011-12-19 18:02 . 2011-12-19 18:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll + 2011-12-19 18:02 . 2011-12-19 18:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll - 2011-12-11 17:01 . 2011-12-11 17:01 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll + 2011-12-19 18:02 . 2011-12-19 18:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll - 2011-12-11 17:01 . 2011-12-11 17:01 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll - 2011-12-11 17:01 . 2011-12-11 17:01 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll + 2011-12-19 18:02 . 2011-12-19 18:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll + 2011-12-19 18:02 . 2011-12-19 18:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll - 2011-12-11 17:01 . 2011-12-11 17:01 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll - 2011-12-11 17:00 . 2011-12-11 17:00 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll + 2011-12-19 18:02 . 2011-12-19 18:02 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll - 2011-12-11 17:01 . 2011-12-11 17:01 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll + 2011-12-19 18:02 . 2011-12-19 18:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll - 2011-12-11 17:01 . 2011-12-11 17:01 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll + 2011-12-19 18:02 . 2011-12-19 18:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll - 2011-12-11 17:00 . 2011-12-11 17:00 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll + 2011-12-19 18:02 . 2011-12-19 18:02 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll + 2011-12-19 18:02 . 2011-12-19 18:02 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll - 2011-12-11 17:01 . 2011-12-11 17:01 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll - 2011-12-11 17:00 . 2011-12-11 17:00 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll + 2011-12-19 18:02 . 2011-12-19 18:02 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll - 2011-12-11 17:01 . 2011-12-11 17:01 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll + 2011-12-19 18:02 . 2011-12-19 18:02 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll - 2011-12-11 17:01 . 2011-12-11 17:01 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll + 2011-12-19 18:02 . 2011-12-19 18:02 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll - 2011-12-11 17:01 . 2011-12-11 17:01 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll + 2011-12-19 18:02 . 2011-12-19 18:02 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll - 2011-12-11 17:01 . 2011-12-11 17:01 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll + 2011-12-19 18:02 . 2011-12-19 18:02 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll - 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll + 2011-12-19 18:02 . 2011-12-19 18:02 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll - 2004-08-04 12:00 . 2011-12-11 17:02 481500 c:\windows\system32\perfh009.dat + 2004-08-04 12:00 . 2011-12-19 18:03 481500 c:\windows\system32\perfh009.dat + 2011-11-24 18:45 . 2011-12-17 19:26 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe - 2011-11-24 18:45 . 2011-11-24 18:45 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe - 2011-11-24 18:45 . 2011-11-24 18:45 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll + 2011-11-24 18:45 . 2011-12-17 19:26 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll + 2010-04-24 20:50 . 2011-12-19 18:13 224763 c:\windows\system32\inetsrv\MetaBase.bin - 2010-03-10 02:14 . 2011-12-16 16:29 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2010-03-10 02:14 . 2011-12-19 17:49 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2011-12-11 17:01 . 2011-12-11 17:01 303104 c:\windows\assembly\temp\Z91KUDN6GZ\System.Runtime.Remoting.dll + 2011-12-11 17:00 . 2011-12-11 17:00 261632 c:\windows\assembly\temp\QRJ2CVNFYQ\System.Transactions.dll + 2011-12-11 17:01 . 2011-12-11 17:01 113664 c:\windows\assembly\temp\HRS2CMW6GQ\System.EnterpriseServices.Wrapper.dll + 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\assembly\temp\HRS2CMW6GQ\System.EnterpriseServices.dll + 2011-12-11 17:00 . 2011-12-11 17:00 626688 c:\windows\assembly\temp\89SBL4EXGZ\System.Drawing.dll + 2011-12-11 17:01 . 2011-12-11 17:01 114688 c:\windows\assembly\temp\0SK34NOY89\System.ServiceProcess.dll + 2011-12-11 17:01 . 2011-12-11 17:01 425984 c:\windows\assembly\temp\0AK3DNXGQ0\System.configuration.dll - 2011-12-11 17:00 . 2011-12-11 17:00 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll + 2011-12-19 18:02 . 2011-12-19 18:02 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll - 2011-12-11 17:00 . 2011-12-11 17:00 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll + 2011-12-19 18:02 . 2011-12-19 18:02 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll - 2011-12-11 17:01 . 2011-12-11 17:01 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll + 2011-12-19 18:02 . 2011-12-19 18:02 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll - 2011-12-11 17:00 . 2011-12-11 17:00 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll + 2011-12-19 18:02 . 2011-12-19 18:02 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll + 2011-12-19 18:02 . 2011-12-19 18:02 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll - 2011-12-11 17:01 . 2011-12-11 17:01 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll - 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll + 2011-12-19 18:02 . 2011-12-19 18:02 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll + 2011-12-19 18:02 . 2011-12-19 18:02 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll - 2011-12-11 17:01 . 2011-12-11 17:01 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll - 2011-12-11 17:00 . 2011-12-11 17:00 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll + 2011-12-19 18:02 . 2011-12-19 18:02 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll - 2011-12-11 17:01 . 2011-12-11 17:01 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll + 2011-12-19 18:02 . 2011-12-19 18:02 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll + 2011-12-19 18:02 . 2011-12-19 18:02 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll - 2011-12-11 17:01 . 2011-12-11 17:01 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll + 2011-12-19 18:02 . 2011-12-19 18:02 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll - 2011-12-11 17:01 . 2011-12-11 17:01 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll - 2011-12-11 17:01 . 2011-12-11 17:01 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll + 2011-12-19 18:02 . 2011-12-19 18:02 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll + 2011-12-19 18:02 . 2011-12-19 18:02 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll - 2011-12-11 17:01 . 2011-12-11 17:01 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll + 2011-12-19 18:02 . 2011-12-19 18:02 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll - 2011-12-11 17:01 . 2011-12-11 17:01 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll + 2011-12-19 18:02 . 2011-12-19 18:02 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll - 2011-12-11 17:00 . 2011-12-11 17:00 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll - 2011-12-11 17:00 . 2011-12-11 17:00 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll + 2011-12-19 18:02 . 2011-12-19 18:02 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll + 2011-12-19 18:02 . 2011-12-19 18:02 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll - 2011-12-11 17:00 . 2011-12-11 17:00 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll - 2011-12-11 17:00 . 2011-12-11 17:00 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll + 2011-12-19 18:02 . 2011-12-19 18:02 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll - 2011-12-11 17:01 . 2011-12-11 17:01 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll + 2011-12-19 18:02 . 2011-12-19 18:02 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll - 2011-12-11 17:01 . 2011-12-11 17:01 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll + 2011-12-19 18:02 . 2011-12-19 18:02 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll + 2011-12-19 18:02 . 2011-12-19 18:02 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll - 2011-12-11 17:00 . 2011-12-11 17:00 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll - 2011-12-11 17:00 . 2011-12-11 17:00 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll + 2011-12-19 18:02 . 2011-12-19 18:02 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll + 2011-12-19 18:02 . 2011-12-19 18:02 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll - 2011-12-11 17:01 . 2011-12-11 17:01 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll + 2011-12-19 18:02 . 2011-12-19 18:02 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll - 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll - 2011-12-08 01:52 . 2011-12-16 19:41 223744 c:\windows\$NtUninstallKB44723$\1760806464\kwrd.dll + 2011-12-08 01:52 . 2011-12-19 17:39 223744 c:\windows\$NtUninstallKB44723$\1760806464\kwrd.dll - 2009-04-12 15:58 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe + 2009-04-12 15:58 . 2011-10-25 13:33 2192768 c:\windows\system32\dllcache\ntoskrnl.exe + 2004-08-03 22:59 . 2011-10-25 12:52 2027008 c:\windows\system32\dllcache\ntkrpamp.exe - 2004-08-03 22:59 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe + 2009-04-12 15:58 . 2011-10-25 12:52 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe - 2009-04-12 15:58 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe - 2004-08-04 12:00 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe + 2004-08-04 12:00 . 2011-10-25 13:37 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe + 2009-04-12 15:58 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe - 2009-04-12 15:58 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe + 2009-04-12 15:58 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe - 2009-04-12 15:58 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe + 2009-04-12 15:58 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe - 2009-04-12 15:58 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe - 2009-04-12 15:58 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe + 2009-04-12 15:58 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe + 2011-12-11 17:01 . 2011-12-11 17:01 2933248 c:\windows\assembly\temp\I1KUDN6GZI\System.Data.dll + 2011-12-11 17:00 . 2011-12-11 17:00 5025792 c:\windows\assembly\temp\89ATCM5O7H\System.Windows.Forms.dll + 2011-12-19 18:02 . 2011-12-19 18:02 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll - 2011-12-11 17:00 . 2011-12-11 17:00 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll - 2011-12-11 17:00 . 2011-12-11 17:00 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll + 2011-12-19 18:02 . 2011-12-19 18:02 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll - 2011-12-11 17:01 . 2011-12-11 17:01 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll + 2011-12-19 18:02 . 2011-12-19 18:02 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-05-06 4980344] "DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336] "BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360] "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] . c:\documents and settings\Mark\Start Menu\Programs\Startup\ Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] NovaBACKUP Tray Control.lnk - c:\program files\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe [2010-12-7 219784] TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\util\\mIRC\\mirc.exe"= "c:\\drivers\\hpl7590\\OJProL7X00_Full_8_3\\setup\\HPZnui01.exe"= "c:\\drivers\\hpl7590\\OJProL7X00_Full_8_3\\setup\\hponicifs01.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Cyberlink\\PowerDVD9\\PowerDVD9.exe"= "c:\\Program Files\\Salling Software AB\\Salling Clicker\\WinClicker.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\drivers\\hpl7590\\basic\\OJProL7X00_Basic_14\\setup\\hpznui01.exe"= "c:\\drivers\\hpl7590\\full\\OJProL7X00_Full_14\\setup\\hpznui01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Cyberlink\\PowerDVD10\\PowerDVD10.exe"= "c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "5353:UDP"= 5353:UDP:Salling Clicker mDNS "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 4:49 PM 113904] R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 8:53 AM 96512] R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 8:10 AM 192504] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 9:15 AM 66632] R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 4:49 PM 79616] R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 8:29 PM 87536] R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 4:53 PM 87536] R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 2:58 PM 20328] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 3:02 PM 290832] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 2:01 PM 462632] R2 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\NovaStor\NovaStor NovaBACKUP\nsService.exe [12/7/2010 1:41 PM 365704] R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 1:00 PM 12992] R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 7:20 AM 46000] R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 4:49 PM 1990656] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 1:16 PM 93960] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 9:02 AM 66944] R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 4:49 PM 61952] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/23/2011 8:53 PM 106104] R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 1:00 PM 10168] R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/24/2010 11:43 PM 6272] R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/24/2010 11:43 PM 498464] S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?] S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 10:52 AM 133104] S2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 2:26 PM 69632] S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 7:45 AM 1684736] S3 Backup Client Agent Service;Backup Client Agent Service;c:\program files\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe [11/22/2010 6:09 PM 179200] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 8:11 AM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 8:11 AM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 10:52 AM 133104] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 8:59 PM 47360] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 9:15 AM 12872] S4 RARfsClientNP;RARfsClientNP; [x] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 19552629 *NewlyCreated* - 74702352 *Deregistered* - 19552629 *Deregistered* - 74702352 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2011-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34] . 2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2011-12-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2011-12-14 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?ilc=5 mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local TCP: DhcpNameServer = 192.168.1.1 68.238.64.12 DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - DAEMON Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= . - - - - ORPHANS REMOVED - - - - . SafeBoot-74702352.sys . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-19 15:20 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(928) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'lsass.exe'(984) c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'explorer.exe'(2300) c:\windows\system32\WININET.dll c:\program files\NVIDIA Corporation\nView\nview.dll c:\windows\system32\btmmhook.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-12-19 15:22:06 ComboFix-quarantined-files.txt 2011-12-19 23:21 ComboFix2.txt 2011-12-17 18:12 ComboFix3.txt 2011-12-16 19:50 ComboFix4.txt 2011-12-16 00:20 ComboFix5.txt 2011-12-19 23:06 . Pre-Run: 1,296,197,255,168 bytes free Post-Run: 1,296,685,105,152 bytes free . - - End Of File - - 0F834B5C2B03AA494BA5DDD5C3310BE1

rebooted and still getting redirected

tried and got the follwoing dialog box, "The proceduer entry point MigrateWinsockConfiguration could not be located in the dynamic link library MSWSOCK.dll"

Not good. Still getting redirected and also still "acquiring network address". Windows dialogue box popped up TCP/IP Ping Command send error report. Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 8338 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/9/2011 7:11:49 AM mbam-log-2011-12-09 (07-11-49).txt Scan type: Full scan (C:\|) Objects scanned: 498414 Time elapsed: 3 hour(s), 29 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{c6c4b482-c7ea-4b74-a10f-7986dda0628e}\RP99\A0015500.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\0.5259356369350485fdrgs.exe (Rogue.PrivacyProtection) -> Quarantined and deleted successfully. eset scan: C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP112\A0028632.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP112\A0030600.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP112\A0031600.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP113\A0032600.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP113\A0033600.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP114\A0034600.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\WINDOWS\system32\drivers\mrxsmb.sys Win32/Sirefef.DA trojan unable to clean

First attempt at this combfix stalled right after it said test can take as long as 10 minutes. I reset computer and then tried it a second time successfully. ComboFix 11-12-13.02 - Mark 12/17/2011 9:57.7.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2790 [GMT -8:00] Running from: c:\documents and settings\Mark\Desktop\relief.exe Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 ))))))))))))))))))))))))))))))) . . 2011-12-17 03:20 . 2011-12-17 03:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Sun 2011-12-15 23:31 . 2011-12-16 00:20 -------- d-----w- C:\relief 2011-12-13 16:20 . 2011-12-13 16:20 -------- d-----w- C:\_OTL 2011-12-12 18:36 . 2011-12-12 18:36 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Sun 2011-12-12 14:52 . 2011-12-12 14:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun 2011-12-11 23:56 . 2011-12-11 23:56 -------- d-----w- c:\program files\Common Files\Java 2011-12-11 23:56 . 2011-12-11 23:56 128000 ----a-w- c:\windows\system32\javacpl.cpl 2011-12-08 07:55 . 2011-12-08 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-12-08 05:10 . 2011-12-08 05:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2011-12-08 04:04 . 2011-12-08 04:04 -------- d-----w- c:\program files\ESET 2011-11-25 19:47 . 2011-11-25 19:47 -------- d-----w- c:\program files\iPod 2011-11-25 19:47 . 2011-11-25 19:48 -------- d-----w- c:\program files\iTunes 2011-11-25 19:43 . 2011-11-25 19:43 -------- d-----w- c:\program files\Bonjour 2011-11-25 17:51 . 2011-11-25 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RosettaStoneLtdBackup . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-16 00:43 . 2011-12-16 00:43 10283 ----a-w- C:\ComboFix.zip 2011-12-11 23:56 . 2011-08-18 22:04 544656 ----a-w- c:\windows\system32\deployJava1.dll 2011-11-24 18:45 . 2011-05-20 18:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-10 14:22 . 2009-04-12 00:25 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 18:41 . 2007-10-09 20:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-11-22 17:49 . 2011-05-26 15:43 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot_2011-12-16_19.43.18 ))))))))))))))))))))))))))))))))))))))))) . + 2011-12-17 17:53 . 2011-12-17 17:53 16384 c:\windows\temp\Perflib_Perfdata_aa8.dat + 2011-12-17 17:51 . 2011-12-17 17:51 16384 c:\windows\temp\Perflib_Perfdata_310.dat + 2010-04-24 20:50 . 2011-12-17 17:51 224706 c:\windows\system32\inetsrv\MetaBase.bin + 2010-03-10 02:14 . 2011-12-17 07:22 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2010-03-10 02:14 . 2011-12-16 16:29 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2011-12-08 01:52 . 2011-12-17 17:50 223744 c:\windows\$NtUninstallKB44723$\1760806464\kwrd.dll - 2011-12-08 01:52 . 2011-12-16 19:41 223744 c:\windows\$NtUninstallKB44723$\1760806464\kwrd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-05-06 4980344] "DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336] "BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360] "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528] . c:\documents and settings\Mark\Start Menu\Programs\Startup\ Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] NovaBACKUP Tray Control.lnk - c:\program files\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe [2010-12-7 219784] TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\util\\mIRC\\mirc.exe"= "c:\\drivers\\hpl7590\\OJProL7X00_Full_8_3\\setup\\HPZnui01.exe"= "c:\\drivers\\hpl7590\\OJProL7X00_Full_8_3\\setup\\hponicifs01.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Cyberlink\\PowerDVD9\\PowerDVD9.exe"= "c:\\Program Files\\Salling Software AB\\Salling Clicker\\WinClicker.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\drivers\\hpl7590\\basic\\OJProL7X00_Basic_14\\setup\\hpznui01.exe"= "c:\\drivers\\hpl7590\\full\\OJProL7X00_Full_14\\setup\\hpznui01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Cyberlink\\PowerDVD10\\PowerDVD10.exe"= "c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "5353:UDP"= 5353:UDP:Salling Clicker mDNS "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 4:49 PM 113904] R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 8:53 AM 96512] R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 8:10 AM 192504] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 9:15 AM 66632] R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 4:49 PM 79616] R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 8:29 PM 87536] R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 4:53 PM 87536] R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 2:58 PM 20328] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 3:02 PM 286736] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 2:01 PM 462632] R2 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\NovaStor\NovaStor NovaBACKUP\nsService.exe [12/7/2010 1:41 PM 365704] R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 1:00 PM 12992] R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 7:20 AM 46000] R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 4:49 PM 1990656] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 1:16 PM 93960] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 9:02 AM 66944] R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 4:49 PM 61952] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/23/2011 8:53 PM 106104] R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 1:00 PM 10168] R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/24/2010 11:43 PM 6272] R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/24/2010 11:43 PM 498464] S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?] S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 10:52 AM 133104] S2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 2:26 PM 69632] S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 7:45 AM 1684736] S3 Backup Client Agent Service;Backup Client Agent Service;c:\program files\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe [11/22/2010 6:09 PM 179200] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 8:11 AM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 8:11 AM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 10:52 AM 133104] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 8:59 PM 47360] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 9:15 AM 12872] S4 RARfsClientNP;RARfsClientNP; [x] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2011-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34] . 2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2011-12-14 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?ilc=5 mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - DAEMON Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-17 10:10 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(740) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'lsass.exe'(800) c:\windows\system32\RARfsClientNP.dll c:\windows\system32\mswsock.dll mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(4168) c:\windows\system32\WININET.dll c:\program files\NVIDIA Corporation\nView\nview.dll c:\windows\system32\btmmhook.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2011-12-17 10:12:21 ComboFix-quarantined-files.txt 2011-12-17 18:12 ComboFix2.txt 2011-12-16 19:50 ComboFix3.txt 2011-12-16 00:20 ComboFix4.txt 2011-12-10 20:24 ComboFix5.txt 2011-12-17 17:12 . Pre-Run: 1,293,379,481,600 bytes free Post-Run: 1,293,949,353,984 bytes free . - - End Of File - - DFA2C5F7417FF7459386399075F2BD44

Elise, Unfortunately, you were correct with your first post . Here is the file I manually deleted: C:\WINDOWS\system32\drivers\mrxsmb.sys Win32/Sirefef.DA trojan unable to clean Here is combofix file. Also, still getting redirected. ComboFix 11-12-13.02 - Mark 12/16/2011 8:37.6.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2388 [GMT -8:00] Running from: c:\documents and settings\Mark\Desktop\relief.exe Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . FILE :: "c:\windows\system32\drivers\srdnayo.sys" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_nnyatg . . ((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 ))))))))))))))))))))))))))))))) . . 2011-12-15 23:31 . 2011-12-16 00:20 -------- d-----w- C:\relief 2011-12-13 16:20 . 2011-12-13 16:20 -------- d-----w- C:\_OTL 2011-12-12 18:36 . 2011-12-12 18:36 -------- d-----w- c:\documents and settings\Mark\Local Settings\Application Data\Sun 2011-12-12 14:52 . 2011-12-12 14:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun 2011-12-11 23:56 . 2011-12-11 23:56 -------- d-----w- c:\program files\Common Files\Java 2011-12-11 23:56 . 2011-12-11 23:56 128000 ----a-w- c:\windows\system32\javacpl.cpl 2011-12-08 07:55 . 2011-12-08 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-12-08 05:10 . 2011-12-08 05:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2011-12-08 04:04 . 2011-12-08 04:04 -------- d-----w- c:\program files\ESET 2011-11-25 19:47 . 2011-11-25 19:47 -------- d-----w- c:\program files\iPod 2011-11-25 19:47 . 2011-11-25 19:48 -------- d-----w- c:\program files\iTunes 2011-11-25 19:43 . 2011-11-25 19:43 -------- d-----w- c:\program files\Bonjour 2011-11-25 17:51 . 2011-11-25 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RosettaStoneLtdBackup . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-16 00:43 . 2011-12-16 00:43 10283 ----a-w- C:\ComboFix.zip 2011-12-11 23:56 . 2011-08-18 22:04 544656 ----a-w- c:\windows\system32\deployJava1.dll 2011-11-24 18:45 . 2011-05-20 18:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-10 14:22 . 2009-04-12 00:25 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 18:41 . 2007-10-09 20:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-11-22 17:49 . 2011-05-26 15:43 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot_2011-12-10_20.20.53 ))))))))))))))))))))))))))))))))))))))))) . + 2011-12-16 01:21 . 2011-12-16 01:21 16384 c:\windows\temp\Perflib_Perfdata_ab8.dat + 2011-12-16 19:42 . 2011-12-16 19:42 16384 c:\windows\temp\Perflib_Perfdata_a78.dat + 2011-12-16 19:41 . 2011-12-16 19:41 16384 c:\windows\temp\Perflib_Perfdata_84.dat + 2011-12-16 01:19 . 2011-12-16 01:19 16384 c:\windows\temp\Perflib_Perfdata_324.dat - 2010-03-10 01:36 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll + 2010-03-10 01:36 . 2011-08-12 20:51 17272 c:\windows\system32\spmsg.dll - 2004-08-04 12:00 . 2011-11-10 01:03 84566 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2011-12-11 17:02 84566 c:\windows\system32\perfc009.dat - 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll + 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll - 2007-08-14 01:54 . 2011-06-23 18:36 55296 c:\windows\system32\msfeedsbs.dll + 2007-08-14 01:54 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll - 2004-08-04 12:00 . 2011-06-23 18:36 43520 c:\windows\system32\licmgr10.dll + 2004-08-04 12:00 . 2011-08-22 23:48 43520 c:\windows\system32\licmgr10.dll + 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll - 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll + 2010-03-09 16:00 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll - 2010-03-09 16:00 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll + 2004-08-04 12:00 . 2011-09-26 18:41 20480 c:\windows\system32\dllcache\oleaccrc.dll - 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll + 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll - 2009-04-12 16:53 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll + 2009-04-12 16:53 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll - 2004-08-04 12:00 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll + 2004-08-04 12:00 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll - 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll + 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll - 2010-06-19 21:21 . 2011-10-25 13:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2011-12-14 03:09 . 2011-12-14 03:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-04-12 00:30 . 2011-12-14 03:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-04-12 00:30 . 2011-10-25 13:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2011-12-11 01:02 . 2011-06-23 18:36 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll + 2011-12-11 01:01 . 2011-06-23 18:36 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll + 2011-12-11 01:01 . 2011-06-23 18:36 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll + 2011-12-11 01:01 . 2011-06-23 18:36 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll + 2011-12-11 01:01 . 2011-06-23 18:36 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll + 2011-12-11 17:00 . 2011-12-11 17:00 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll - 2011-09-28 16:47 . 2011-09-28 16:47 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll - 2011-09-28 16:47 . 2011-09-28 16:47 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll + 2011-12-11 17:00 . 2011-12-11 17:00 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll + 2011-12-11 17:01 . 2011-12-11 17:01 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll - 2011-09-28 16:47 . 2011-09-28 16:47 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll + 2011-12-11 17:00 . 2011-12-11 17:00 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll - 2011-09-28 16:47 . 2011-09-28 16:47 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll + 2011-12-11 17:01 . 2011-12-11 17:01 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll - 2011-09-28 16:47 . 2011-09-28 16:47 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll - 2011-09-28 16:47 . 2011-09-28 16:47 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll + 2011-12-11 17:01 . 2011-12-11 17:01 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll - 2011-09-28 16:47 . 2011-09-28 16:47 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll + 2011-12-11 17:01 . 2011-12-11 17:01 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll + 2011-12-11 17:01 . 2011-12-11 17:01 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll - 2011-09-28 16:47 . 2011-09-28 16:47 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll - 2011-09-28 16:47 . 2011-09-28 16:47 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll + 2011-12-11 17:01 . 2011-12-11 17:01 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll - 2011-09-28 16:47 . 2011-09-28 16:47 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll + 2011-12-11 17:00 . 2011-12-11 17:00 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll + 2011-12-11 17:01 . 2011-12-11 17:01 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll - 2011-09-28 16:47 . 2011-09-28 16:47 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll + 2011-12-11 17:01 . 2011-12-11 17:01 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll - 2011-09-28 16:47 . 2011-09-28 16:47 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll - 2011-09-28 16:47 . 2011-09-28 16:47 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll + 2011-12-11 17:00 . 2011-12-11 17:00 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll + 2011-12-11 01:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2641690\update\spcustom.dll + 2011-12-11 01:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2641690\spmsg.dll + 2011-12-11 01:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2567053\update\spcustom.dll + 2011-12-11 01:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2567053\spmsg.dll + 2011-12-11 01:14 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2544893-v2\update\spcustom.dll + 2011-12-11 01:14 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2544893-v2\spmsg.dll + 2011-12-11 17:01 . 2011-12-11 17:01 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll - 2011-09-28 16:47 . 2011-09-28 16:47 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll + 2011-12-11 17:00 . 2011-12-11 17:00 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll - 2011-09-28 16:47 . 2011-09-28 16:47 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll + 2011-12-11 17:01 . 2011-12-11 17:01 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll - 2011-09-28 16:47 . 2011-09-28 16:47 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll + 2011-12-11 17:01 . 2011-12-11 17:01 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll - 2011-09-28 16:47 . 2011-09-28 16:47 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll + 2011-12-11 17:01 . 2011-12-11 17:01 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll - 2011-09-28 16:47 . 2011-09-28 16:47 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll + 2011-12-11 17:01 . 2011-12-11 17:01 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll - 2011-09-28 16:47 . 2011-09-28 16:47 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll - 2011-09-28 16:47 . 2011-09-28 16:47 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll + 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll + 2004-08-04 12:00 . 2011-08-22 23:48 916480 c:\windows\system32\wininet.dll - 2004-08-04 12:00 . 2011-06-23 18:36 916480 c:\windows\system32\wininet.dll + 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll - 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll - 2004-08-04 12:00 . 2011-11-10 01:03 481500 c:\windows\system32\perfh009.dat + 2004-08-04 12:00 . 2011-12-11 17:02 481500 c:\windows\system32\perfh009.dat - 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\occache.dll + 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll + 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll - 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll - 2007-08-14 01:54 . 2011-06-23 18:36 602112 c:\windows\system32\msfeeds.dll + 2007-08-14 01:54 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll + 2011-12-11 23:56 . 2011-12-11 23:56 214408 c:\windows\system32\javaws.exe + 2011-12-11 23:56 . 2011-12-11 23:56 173960 c:\windows\system32\javaw.exe + 2011-12-11 23:56 . 2011-12-11 23:56 173960 c:\windows\system32\java.exe + 2010-04-24 20:50 . 2011-12-16 19:41 224688 c:\windows\system32\inetsrv\MetaBase.bin + 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll - 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\iepeers.dll - 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll + 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll + 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe + 2009-04-11 17:03 . 2011-12-11 04:46 313176 c:\windows\system32\FNTCACHE.DAT - 2009-04-11 17:03 . 2011-09-28 17:08 313176 c:\windows\system32\FNTCACHE.DAT + 2004-08-04 12:00 . 2011-08-17 13:49 138496 c:\windows\system32\drivers\afd.sys - 2004-08-04 12:00 . 2011-02-16 13:22 138496 c:\windows\system32\drivers\afd.sys - 2004-08-04 12:00 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll + 2004-08-04 12:00 . 2011-08-22 23:48 916480 c:\windows\system32\dllcache\wininet.dll - 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll + 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll + 2004-08-04 12:00 . 2011-09-26 18:41 220160 c:\windows\system32\dllcache\oleacc.dll - 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll + 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll - 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll + 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll + 2009-04-12 16:53 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll - 2009-04-12 16:53 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll + 2009-04-12 00:25 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll - 2009-04-12 00:25 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll + 2010-03-09 16:00 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll - 2010-03-09 16:00 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll + 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll - 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll + 2010-06-11 18:15 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll - 2010-06-11 18:15 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll + 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll - 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll + 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe + 2004-08-04 12:00 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll - 2004-08-04 12:00 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll - 2004-08-04 12:00 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys + 2004-08-04 12:00 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys - 2010-03-10 02:14 . 2011-12-10 17:52 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2010-03-10 02:14 . 2011-12-16 16:29 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2011-12-11 23:56 . 2011-12-11 23:56 176640 c:\windows\Installer\656dc.msi + 2011-12-11 23:56 . 2011-12-11 23:56 938496 c:\windows\Installer\656d4.msi + 2011-12-11 23:55 . 2011-12-11 23:55 519168 c:\windows\Installer\656d0.msi + 2011-12-11 01:01 . 2011-06-23 18:36 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll + 2011-12-11 01:01 . 2011-06-23 18:36 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll + 2011-12-11 01:02 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll + 2011-12-11 01:02 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe + 2011-12-11 01:01 . 2011-06-23 18:36 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll + 2011-12-11 01:01 . 2011-06-23 18:36 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll + 2011-12-11 01:01 . 2011-06-23 18:36 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll + 2011-12-11 01:02 . 2011-06-23 18:36 247808 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll + 2011-12-11 01:01 . 2011-06-23 18:36 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll + 2011-12-11 01:02 . 2011-06-23 18:36 743424 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll + 2011-12-11 01:02 . 2011-06-23 18:36 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll + 2011-12-11 01:02 . 2011-06-23 12:05 173568 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe + 2011-12-11 01:19 . 2011-12-11 01:19 425984 c:\windows\assembly\temp\IA2LVE6G89\System.configuration.dll + 2011-12-11 01:18 . 2011-12-11 01:18 261632 c:\windows\assembly\temp\HRJ23VN6P8\System.Transactions.dll + 2011-12-11 01:18 . 2011-12-11 01:18 303104 c:\windows\assembly\temp\HRAK3MWXY8\System.Runtime.Remoting.dll + 2011-12-11 01:18 . 2011-12-11 01:18 626688 c:\windows\assembly\temp\H0S2L45OYZ\System.Drawing.dll + 2011-12-11 01:19 . 2011-12-11 01:19 114688 c:\windows\assembly\temp\9A2LV5OYH0\System.ServiceProcess.dll + 2011-12-11 01:18 . 2011-12-11 01:18 113664 c:\windows\assembly\temp\8IJTCM5OY8\System.EnterpriseServices.Wrapper.dll + 2011-12-11 01:18 . 2011-12-11 01:18 258048 c:\windows\assembly\temp\8IJTCM5OY8\System.EnterpriseServices.dll - 2011-09-28 16:47 . 2011-09-28 16:47 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll + 2011-12-11 17:00 . 2011-12-11 17:00 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll + 2011-12-11 17:00 . 2011-12-11 17:00 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll - 2011-09-28 16:47 . 2011-09-28 16:47 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll - 2011-09-28 16:47 . 2011-09-28 16:47 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll + 2011-12-11 17:01 . 2011-12-11 17:01 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll + 2011-12-11 17:00 . 2011-12-11 17:00 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll - 2011-09-28 16:47 . 2011-09-28 16:47 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll + 2011-12-11 17:01 . 2011-12-11 17:01 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll - 2011-09-28 16:47 . 2011-09-28 16:47 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll - 2011-09-28 16:47 . 2011-09-28 16:47 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll + 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll + 2011-12-11 17:01 . 2011-12-11 17:01 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll - 2011-09-28 16:47 . 2011-09-28 16:47 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll + 2011-12-11 17:00 . 2011-12-11 17:00 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll - 2011-09-28 16:47 . 2011-09-28 16:47 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll + 2011-12-11 17:01 . 2011-12-11 17:01 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll - 2011-09-28 16:47 . 2011-09-28 16:47 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll - 2011-09-28 16:47 . 2011-09-28 16:47 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll + 2011-12-11 17:01 . 2011-12-11 17:01 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll - 2011-09-28 16:47 . 2011-09-28 16:47 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll + 2011-12-11 17:01 . 2011-12-11 17:01 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll + 2011-12-11 17:01 . 2011-12-11 17:01 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll - 2011-09-28 16:47 . 2011-09-28 16:47 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll + 2011-12-11 17:01 . 2011-12-11 17:01 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll - 2011-09-28 16:47 . 2011-09-28 16:47 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll - 2011-09-28 16:47 . 2011-09-28 16:47 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll + 2011-12-11 17:01 . 2011-12-11 17:01 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll + 2011-12-11 17:00 . 2011-12-11 17:00 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll - 2011-09-28 16:47 . 2011-09-28 16:47 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll - 2011-09-28 16:47 . 2011-09-28 16:47 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll + 2011-12-11 17:00 . 2011-12-11 17:00 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll + 2011-12-11 17:00 . 2011-12-11 17:00 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll - 2011-09-28 16:47 . 2011-09-28 16:47 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll - 2011-09-28 16:47 . 2011-09-28 16:47 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll + 2011-12-11 17:00 . 2011-12-11 17:00 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll + 2011-12-11 17:01 . 2011-12-11 17:01 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll - 2011-09-28 16:47 . 2011-09-28 16:47 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll + 2011-12-11 17:01 . 2011-12-11 17:01 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll - 2011-09-28 16:47 . 2011-09-28 16:47 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll + 2011-12-11 17:00 . 2011-12-11 17:00 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll - 2011-09-28 16:47 . 2011-09-28 16:47 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll + 2011-12-11 17:00 . 2011-12-11 17:00 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll - 2011-09-28 16:47 . 2011-09-28 16:47 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll + 2011-12-11 17:01 . 2011-12-11 17:01 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll - 2011-09-28 16:47 . 2011-09-28 16:47 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll + 2011-12-11 17:01 . 2011-12-11 17:01 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll - 2011-09-28 16:47 . 2011-09-28 16:47 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll - 2011-12-08 01:52 . 2011-12-10 18:13 223744 c:\windows\$NtUninstallKB44723$\1760806464\kwrd.dll + 2011-12-08 01:52 . 2011-12-16 19:41 223744 c:\windows\$NtUninstallKB44723$\1760806464\kwrd.dll + 2011-12-11 01:03 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2641690\update\updspapi.dll + 2011-12-11 01:03 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2641690\update\update.exe + 2011-12-11 01:03 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2641690\spuninst.exe + 2011-09-28 07:05 . 2011-09-28 07:05 599552 c:\windows\$hf_mig$\KB2641690\SP3QFE\crypt32.dll + 2011-12-11 01:03 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2567053\update\updspapi.dll + 2011-12-11 01:03 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2567053\update\update.exe + 2011-12-11 01:03 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2567053\spuninst.exe + 2011-12-11 01:14 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2544893-v2\update\updspapi.dll + 2011-12-11 01:14 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2544893-v2\update\update.exe + 2011-12-11 01:14 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2544893-v2\spuninst.exe + 2011-10-10 14:21 . 2011-10-10 14:21 692736 c:\windows\$hf_mig$\KB2544893-v2\SP3QFE\inetcomm.dll + 2004-08-04 12:00 . 2011-09-06 13:20 1858944 c:\windows\system32\win32k.sys - 2004-08-04 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys - 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll + 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll + 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\mshtml.dll + 2007-08-14 01:34 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll - 2004-08-04 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys + 2004-08-04 12:00 . 2011-09-06 13:20 1858944 c:\windows\system32\dllcache\win32k.sys + 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll - 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll + 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\dllcache\mshtml.dll + 2009-04-12 16:53 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll + 2011-12-11 01:01 . 2011-06-23 18:36 1212416 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll + 2011-12-11 01:01 . 2011-07-25 15:17 5969920 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll + 2011-12-11 01:01 . 2011-06-23 18:36 1991680 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll + 2011-12-11 01:18 . 2011-12-11 01:18 5025792 c:\windows\assembly\temp\QRSBUDNX7H\System.Windows.Forms.dll + 2011-12-11 01:19 . 2011-12-11 01:19 2933248 c:\windows\assembly\temp\IST3VW678I\System.Data.dll - 2011-09-28 16:47 . 2011-09-28 16:47 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll + 2011-12-11 17:00 . 2011-12-11 17:00 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll - 2011-09-28 16:47 . 2011-09-28 16:47 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll + 2011-12-11 17:00 . 2011-12-11 17:00 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll - 2011-09-28 16:47 . 2011-09-28 16:47 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll + 2011-12-11 17:01 . 2011-12-11 17:01 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll + 2011-09-06 13:25 . 2011-09-06 13:25 1867904 c:\windows\$hf_mig$\KB2567053\SP3QFE\win32k.sys + 2009-04-12 16:51 . 2011-10-28 06:04 50295240 c:\windows\system32\MRT.exe + 2007-08-14 01:54 . 2011-08-24 00:48 11081728 c:\windows\system32\ieframe.dll - 2007-08-14 01:54 . 2011-06-23 18:36 11081728 c:\windows\system32\ieframe.dll + 2009-04-12 16:53 . 2011-08-24 00:48 11081728 c:\windows\system32\dllcache\ieframe.dll - 2009-04-12 16:53 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll + 2011-07-12 04:43 . 2011-07-12 04:43 11641344 c:\windows\Installer\1a8805.msp + 2011-12-11 01:01 . 2011-06-23 18:36 11081728 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-05-06 4980344] "DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336] "BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360] "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] . c:\documents and settings\Mark\Start Menu\Programs\Startup\ Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] NovaBACKUP Tray Control.lnk - c:\program files\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe [2010-12-7 219784] TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= "c:\\util\\mIRC\\mirc.exe"= "c:\\drivers\\hpl7590\\OJProL7X00_Full_8_3\\setup\\HPZnui01.exe"= "c:\\drivers\\hpl7590\\OJProL7X00_Full_8_3\\setup\\hponicifs01.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Cyberlink\\PowerDVD9\\PowerDVD9.exe"= "c:\\Program Files\\Salling Software AB\\Salling Clicker\\WinClicker.exe"= "c:\\Program Files\\SightSpeed\\SightSpeed.exe"= "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "c:\\drivers\\hpl7590\\basic\\OJProL7X00_Basic_14\\setup\\hpznui01.exe"= "c:\\drivers\\hpl7590\\full\\OJProL7X00_Full_14\\setup\\hpznui01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Cyberlink\\PowerDVD10\\PowerDVD10.exe"= "c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"= "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "5353:UDP"= 5353:UDP:Salling Clicker mDNS "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 4:49 PM 113904] R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 8:53 AM 96512] R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 8:10 AM 192504] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 9:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 9:15 AM 66632] R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 4:49 PM 79616] R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 8:29 PM 87536] R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 4:53 PM 87536] R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 2:58 PM 20328] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 3:02 PM 286736] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 2:01 PM 462632] R2 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\NovaStor\NovaStor NovaBACKUP\nsService.exe [12/7/2010 1:41 PM 365704] R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 1:00 PM 12992] R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 7:20 AM 46000] R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 4:49 PM 1990656] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 1:16 PM 93960] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 4:54 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 4:54 AM 185640] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 9:02 AM 66944] R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 4:49 PM 61952] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/23/2011 8:53 PM 106104] R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 1:00 PM 10168] R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/24/2010 11:43 PM 6272] R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/24/2010 11:43 PM 498464] S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?] S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 10:52 AM 133104] S2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 2:26 PM 69632] S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 7:45 AM 1684736] S3 Backup Client Agent Service;Backup Client Agent Service;c:\program files\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe [11/22/2010 6:09 PM 179200] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 8:11 AM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 8:11 AM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 10:52 AM 133104] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 8:59 PM 47360] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 9:15 AM 12872] S4 RARfsClientNP;RARfsClientNP; [x] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2011-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34] . 2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2011-12-14 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/?ilc=5 mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 uInternet Settings,ProxyOverride = *.local LSP: mswsock.dll DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - DAEMON Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-12-16 11:43 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(748) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'lsass.exe'(808) c:\windows\system32\RARfsClientNP.dll c:\windows\system32\mswsock.dll mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(2640) c:\windows\system32\WININET.dll c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll c:\program files\NVIDIA Corporation\nView\nview.dll c:\windows\system32\btmmhook.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\program files\WinSCP\DragExt.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\inetsrv\inetinfo.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe c:\program files\RemotelyAnywhere\x86\RaMaint.exe c:\program files\RemotelyAnywhere\x86\RemotelyAnywhere.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\windows\System32\vssvc.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\progra~1\MICROS~3\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Microsoft Office\Office10\msoffice.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe c:\program files\CyberLink\PowerDVD10\PowerDVD Cox\PowerDVDCox10.exe . ************************************************************************** . Completion time: 2011-12-16 11:50:25 - machine was rebooted ComboFix-quarantined-files.txt 2011-12-16 19:50 ComboFix2.txt 2011-12-16 00:20 ComboFix3.txt 2011-12-10 20:24 ComboFix4.txt 2011-08-15 22:42 ComboFix5.txt 2011-12-16 16:36 . Pre-Run: 1,293,521,600,512 bytes free Post-Run: 1,293,673,750,528 bytes free . - - End Of File - - 46270934A019A9515C2E3F958C466437

Attached ComboFix.txt. Note I am still getting redirected. ComboFix.zip

Yikes! The situation just got a WHOLE lot worse. I just received a call from my credit card company that a fraudulent charge of $1,700 dollars was made in an Apple store in Alberta Canada! I am pretty sure this is a result of me makiing a purchase online on the infected computer. I just got this card because my previous card also had a fraudulent charge. Probably, also because of purchase on the same computer. I am no longer entering any financial data on this computer. Until I am confident it is clean. I tried running combofix again. I downloaded and saved it to the desktop and under a different file name. This time it stalled at trying to reboot. I had to hard reset the computer. I booted into safe mode with no netwoking support. A combofix window opened saying it was preparing a log report. It did produce a log file which I will post shortly. Also, ran ESET online it says that the machine is infected with Win32/Sirefef.DA.trojan. One of the files in the system32 folder it said it could not delete. However I was able to manually delete it and empty the recycle bin. The combofix report was run after this.

I checked no c:\combofix.txt was created.

I tried to run combofix but it stalled at preparing log report.

I disabled all add-ons in IE and I am still getting redirected. I also did some more browseing in Firefox and also am getting redirected to advertisement sites. I ran eset online virus checker first time it found viruses without completing it stalled. I then ran it a second time and it found viruses and completed but was unable to clean everything: "C:\WINDOWS\system32\drivers\mrxsmb.sys Win32/Sirefef.DA trojan unable to clean Operating memory multiple threats" Here are both logs starting with the first: C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-50d8eb75 Java/Exploit.CVE-2011-3544.F trojan deleted - quarantined C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\24\762072d8-2fa85b8e Java/Exploit.CVE-2011-3544.F trojan deleted - quarantined C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\27\6584d6db-20ba10fe Java/Agent.DY trojan deleted - quarantined C:\Documents and Settings\NetworkService\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\6\539bac06-5aec0e7d Java/Agent.DY trojan deleted - quarantined C:\dwld\Android Applications Sep 2010\Applications.rar multiple threats deleted - quarantined C:\dwld\Android Part Two\Apps\z4root_(1.3.0).apk Android/Exploit.RageCage.A trojan deleted - quarantined Here is the second log which completed (100% scan): C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP100\A0018531.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP100\A0019531.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP101\A0020532.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP101\A0021531.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP101\A0022753.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP102\A0022783.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP102\A0023783.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP103\A0024067.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP103\A0025067.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP103\A0026067.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP105\A0026473.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP107\A0026527.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP108\A0026595.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP111\A0027595.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP98\A0014419.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP98\A0015419.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP99\A0015473.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP99\A0015503.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP99\A0016502.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{C6C4B482-C7EA-4B74-A10F-7986DDA0628E}\RP99\A0017502.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined C:\WINDOWS\system32\drivers\mrxsmb.sys Win32/Sirefef.DA trojan unable to clean Operating memory multiple threats

I noticed my CPU utilization was jumping even though I wasn't really doing anything. I checked my processes and there is a process "ping.exe" that is using up some of the CPU bandwidth. I did a search on the web and apparently there is a ping.exe virus? I tried killing the process but it comes back. Any idea how to get rid of this?