Mel_3

Thanks for the help. The laptop is running XP Pro SP3. You say "Disable AV temporarily." Do you mean Disable AVG ? If not what do you mean by "AV" ? Thanks again for the help.

This was on an old laptop. Here is what was in the popup window... Current Database Info 7/8/09 Error Code 532(0,0) dB ver 2401 Fingerprints Loaded 110,435 Notify MBAM Support with this error code Do I have malware keeping me from updating or is this just a very old copy of MBAM that should be deleted then updated? Thanks for any help.

RPMc, I would like to ask a few follow-up questions if you don't mind. 1 - Should I delete ProcessExplorer and TDSSKiller? Just delete? No uninstaller... right? 2 - Is there any issues with running the Kaspersky Online Scanner periodically on this (& other computers) ? 3 - Kaspersky seems to do a deeper scan than traditional tools... is that its strength? 4 - Where can I learn to use ComboFix? The website directs people to experts like you. Just wondering if I can learn to use it. 5 - Other than regular scans with MBAM & AVG... can you suggest another tool for regular use? (Kaspersky Online Scanner or what?) 6 - In this exercise I just learned about RootKits. Scary. What tool to detect RootKits ? Is RKUnhooker the removal tool to use once detected? Finally, I am _very_ impressed with the assistance you (and the others here) provide. What a public/community service !! If you can answer the above it would be great. In either event CASE CLOSED !

RPMc, Thanks you again for your kind assistance. Just a few final questions below. In your last instruction I'm down to deleting the apps listed... DDS Rootkit Unhooker SystemLook None of these were in Add/Remove Programs ...and I did not see them on Start/All Programs ...except Revo Uninstaller Below are the files on my desktop - less the logs which have been deleted dds.scr Kaspersky Online Scanner 7.0.url Revo Uninstaller.lnk RKUnhookerLE.EXE ProcessExplorer.zip tdsskiller.zip \ProcessExplorer Eula.txt procexp.chm procexp.exe \tdsskiller eula.txt TDSSKiller.exe The Questions: 1 - is dds.scr the DDS you listed? ...If so just delete it? ...No uninstall process? 2 - is RKUnHookerLE.exe the Rootkit Unhooker you referenced? ...If so just delete the file? ...No unstall process? 3 - I can't find a file or program named SystemLook. ... Looked in add remove programs but not there ... should I search entire drive? 4 - What about Revo Uninstaller.lnk? ... should I delete this file? ... should I go to Start/All Programs/Revo Uninstaller and delete that? 5 - Ok to just delete _all_ the other files shown below?

OK, thanks for that news. Here is the MBAM report... ran from normal mode. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4788 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/10/2010 9:35:56 AM mbam-log-2010-10-10 (09-35-56).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 231966 Time elapsed: 1 hour(s), 5 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Wooops! Ignore the post I just did. Just saw your last response. Will boot in normal mode, update MBAM and run it & post report as instructed.

I'm still running in safe mode. Kaspersky still reports issues so I'm reluctant to boot into normal mode. Sincere thanks for your help. Report below. What next? -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, October 9, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, October 09, 2010 08:16:29 Records in database: 4230446 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Objects scanned: 93499 Threats found: 7 Infected objects found: 62 Suspicious objects found: 0 Scan duration: 03:30:12 File name / Threat / Threats count C:\Documents and Settings\Owner\My Documents\Downloads\irc\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1 C:\Documents and Settings\Owner\My Documents\Downloads\irc\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1 C:\Documents from Prior Use\My Downloads\VNC\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update\jusched.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Scansoft\PaperPort\IndexSearch.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Scansoft\PaperPort\pptd40nt.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\PROGRA~1\AVG\AVG8\avgtray.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\mO8P6.com.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rundll32.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\[4]-Submit_2010-10-02_11.00.13.zip Infected: Trojan-Downloader.Win32.Mufanom.airf 1 C:\Qoobox\Quarantine\[4]-Submit_2010-10-06_10.33.51.zip Infected: Trojan.Win32.Powp.gen 4 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1003\A0081936.dll Infected: Trojan-PSW.Win32.Agent.uhe 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083334.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083335.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083336.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083337.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083338.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083340.com Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083783.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083785.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083786.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083787.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083788.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083789.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083790.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083793.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083794.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083796.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084007.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084008.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084009.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084010.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084011.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084012.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084013.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084014.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084020.com Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084495.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084717.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084723.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084724.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084725.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084726.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084727.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084728.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084729.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084730.com Infected: Trojan.Win32.Powp.gen 1 Selected area has been scanned.

RPMcM, I ran Kaspersky again as you asked and the report is below. I'm doing all this in Safe mode on my XP Pro PC as I don't want to boot in normal mode until it looks safe to do so. Kaspersky still reports issues. Hopefully we can address those. You have done a terrific job RMPcM ! Thanks so much!!! -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, October 9, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, October 09, 2010 08:16:29 Records in database: 4230446 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Objects scanned: 93499 Threats found: 7 Infected objects found: 62 Suspicious objects found: 0 Scan duration: 03:30:12 File name / Threat / Threats count C:\Documents and Settings\Owner\My Documents\Downloads\irc\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1 C:\Documents and Settings\Owner\My Documents\Downloads\irc\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1 C:\Documents from Prior Use\My Downloads\VNC\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update\jusched.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Scansoft\PaperPort\IndexSearch.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Scansoft\PaperPort\pptd40nt.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\PROGRA~1\AVG\AVG8\avgtray.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\mO8P6.com.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rundll32.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\[4]-Submit_2010-10-02_11.00.13.zip Infected: Trojan-Downloader.Win32.Mufanom.airf 1 C:\Qoobox\Quarantine\[4]-Submit_2010-10-06_10.33.51.zip Infected: Trojan.Win32.Powp.gen 4 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1003\A0081936.dll Infected: Trojan-PSW.Win32.Agent.uhe 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083334.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083335.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083336.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083337.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083338.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083340.com Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083783.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083785.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083786.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083787.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083788.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083789.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083790.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083793.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083794.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083796.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084007.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084008.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084009.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084010.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084011.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084012.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084013.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084014.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084020.com Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084495.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084717.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084723.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084724.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084725.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084726.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084727.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084728.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084729.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1008\A0084730.com Infected: Trojan.Win32.Powp.gen 1 Selected area has been scanned.

ComboFix 10-10-07.02 - Owner 10/08/2010 9:32.5.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.757 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Security\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\Security\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat" "c:\windows\Fonts\mO8P6.com" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat c:\program files\QuickTime c:\program files\QuickTime\Plugins\nsIQTScriptablePlugin.xpt c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\windows\Fonts\mO8P6.com . --------------- FCopy --------------- c:\windows\ServicePackFiles\i386\rundll32.exe --> c:\windows\system32\rundll32.exe . ((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 ))))))))))))))))))))))))))))))) . 2010-10-07 12:55 . 2010-10-07 12:55 -------- d-----w- c:\program files\VS Revo Group 2010-10-04 18:10 . 2010-10-04 18:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2010-09-29 23:37 . 2010-09-29 23:37 -------- d-----w- c:\program files\Trend Micro 2010-09-29 23:31 . 2010-09-29 23:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2010-09-29 23:07 . 2010-09-29 23:07 -------- d-----w- c:\program files\CCleaner 2010-09-28 21:17 . 2010-09-28 21:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-09-28 20:19 . 2010-09-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Update 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-09-28 16:06 . 2010-10-06 12:40 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-23 20:10 . 2010-09-23 22:24 -------- d-----w- c:\documents and settings\Owner\workspace 2010-09-15 13:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll 2010-09-15 13:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll 2010-09-15 13:27 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-09-15 13:27 . 2010-09-15 13:28 -------- d-----w- c:\windows\system32\ZoneLabs 2010-09-15 13:27 . 2010-09-15 13:27 -------- d-----w- c:\program files\Zone Labs 2010-09-15 13:01 . 2010-09-15 13:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-sse.dll 2010-09-15 13:01 . 2010-09-15 13:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcp71.dll 2010-09-15 13:01 . 2010-09-15 13:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\jmc.dll 2010-09-15 13:01 . 2010-09-15 13:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcr71.dll 2010-09-15 13:01 . 2010-09-15 13:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-d3d.dll 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\.thumbnails 2010-09-09 20:20 . 2010-09-09 20:20 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-09 20:20 . 2010-09-09 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org 2010-09-09 19:12 . 2010-09-09 19:12 -------- d-----w- c:\program files\JRE 2010-09-09 19:11 . 2010-09-09 19:12 -------- d-----w- c:\program files\OpenOffice.org 3 2010-09-09 19:11 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-09 15:50 . 2010-09-12 15:36 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6 2010-09-09 15:42 . 2010-09-09 15:42 -------- d-----w- c:\program files\GIMP-2.0 2010-09-09 14:29 . 2010-09-09 14:29 -------- d-----w- c:\program files\Paint.NET 2010-09-09 14:29 . 2010-09-09 15:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Paint.NET . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-07 13:08 . 2005-11-23 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime 2010-09-29 14:09 . 2009-12-29 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-28 14:02 . 2010-09-28 14:01 1595492 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-09-26 14:26 . 2006-01-27 15:00 222296 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-21 14:00 . 2005-11-23 01:08 -------- d-----w- c:\program files\Google 2010-09-15 13:28 . 2008-06-17 17:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Common Files\Java 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Java 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\Common Files\IKE Software 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\IKE Software 2010-08-24 21:07 . 2010-08-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack 2010-08-17 13:17 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-02 21:04 . 2010-08-02 21:03 21706717 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_08_02_14_28_05_full.dmp.zip 2010-07-22 15:49 . 2004-08-26 16:12 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-11-04 18:11 5120 ----a-w- c:\windows\system32\xpsp4res.dll . ((((((((((((((((((((((((((((( SnapShot@2010-10-01_18.37.06 ))))))))))))))))))))))))))))))))))))))))) . + 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe - 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-06 14:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk backup=c:\windows\pss\SmartUI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] c:\program files\QuickTime\qttask .exe -atboottime [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2010-07-11 15:19 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2002-08-12 16:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2005-09-18 16:32 7204864 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2005-09-18 16:32 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-09-18 16:32 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2002-08-12 15:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2005-09-26 23:07 90112 ----a-w- c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 11:12 AM 335240] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2008 11:11 AM 297752] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2010 7:52 AM 136176] S2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/18/2007 3:46 PM 53307] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/5/2007 11:18 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/5/2007 11:18 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/5/2007 11:18 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/5/2007 11:18 AM 60416] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] 2010-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netpv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: fastestdeploy.com Trusted Zone: fastestdeploy.com TCP: {3DE59C59-FDC2-4F37-B00C-58CB922765A3} = 192.168.1.1 DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm8vhal9.default\ FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-cdloader - c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe MSConfigStartUp-CleanUp - c:\progra~1\McAfee.com\Shared\mcappins.exe MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe MSConfigStartUp-MSKAGENTEXE - c:\progra~1\mcafee\SPAMKI~1\mskagent.exe MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2010-10-08 09:39:46 ComboFix-quarantined-files.txt 2010-10-08 13:39 ComboFix2.txt 2010-10-06 14:41 ComboFix3.txt 2010-10-03 13:59 ComboFix4.txt 2010-10-01 18:40 Pre-Run: 35,344,752,640 bytes free Post-Run: 35,325,550,592 bytes free - - End Of File - - A40A93F7D45CEBA3A0CB4B443536C512

- Quicktime removed with Revo Uninstaller (free version). Nice utility. - Below the SystemLook file. Thanks again !!!! SystemLook 04.09.10 by jpshortstuff Log created at 09:09 on 07/10/2010 by Owner Administrator - Elevation successful ========== filefind ========== Searching for "rundll32.*" C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe -----c- 33280 bytes [15:17 03/10/2008] [19:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF C:\WINDOWS\I386\RUNDLL32.EX_ ------- 11853 bytes [16:10 26/08/2004] [19:00 04/08/2004] F8507676E40EAFE3ABB907812D65513B C:\WINDOWS\Prefetch\RUNDLL32.EXE-1831A4F3.pf --a---- 10860 bytes [13:51 05/10/2010] [13:51 05/10/2010] F1F731F239902A113361189A2CB06645 C:\WINDOWS\Prefetch\RUNDLL32.EXE-31610E45.pf --a---- 10602 bytes [12:42 05/10/2010] [12:42 05/10/2010] CA80427B5CD6951A2E6907E696D7B51E C:\WINDOWS\Prefetch\RUNDLL32.EXE-415F88EC.pf --a---- 12408 bytes [19:42 04/10/2010] [19:42 04/10/2010] 307ABAC168C60D5271236EDEA18D5828 C:\WINDOWS\ServicePackFiles\i386\rundll32.exe ------- 33280 bytes [12:32 03/09/2008] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6 C:\WINDOWS\system32\rundll32.exe --a---- 94212 bytes [16:12 26/08/2004] [17:44 30/09/2010] C60F9080FEDCF6CA6C79B881E7EA21A8 -= EOF =-

Here it is. FYI we ran ComboFix in Windows XP Safe Mode and it seemed to work fine. Thanks again for sticking with this !! Great help !!!! Here is the ComboFix log ComboFix 10-10-05.05 - Owner 10/06/2010 10:33:58.4.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.757 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Security\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\Security\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\documents and settings\All Users\Application Data\QC44k87A.exe" "c:\program files\QuickTime\qttask .exe" "c:\program files\QuickTime\qttask.exe" "c:\windows\Fonts\mO8P6.com" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\QC44k87A.exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask.exe c:\windows\Fonts\mO8P6.com c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At3.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At4.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At42.job c:\windows\Tasks\At43.job c:\windows\Tasks\At44.job c:\windows\Tasks\At45.job c:\windows\Tasks\At46.job c:\windows\Tasks\At47.job c:\windows\Tasks\At48.job c:\windows\Tasks\At49.job c:\windows\Tasks\At5.job c:\windows\Tasks\At50.job c:\windows\Tasks\At51.job c:\windows\Tasks\At52.job c:\windows\Tasks\At53.job c:\windows\Tasks\At54.job c:\windows\Tasks\At55.job c:\windows\Tasks\At56.job c:\windows\Tasks\At57.job c:\windows\Tasks\At58.job c:\windows\Tasks\At59.job c:\windows\Tasks\At6.job c:\windows\Tasks\At60.job c:\windows\Tasks\At61.job c:\windows\Tasks\At62.job c:\windows\Tasks\At63.job c:\windows\Tasks\At64.job c:\windows\Tasks\At65.job c:\windows\Tasks\At66.job c:\windows\Tasks\At67.job c:\windows\Tasks\At68.job c:\windows\Tasks\At69.job c:\windows\Tasks\At7.job c:\windows\Tasks\At70.job c:\windows\Tasks\At71.job c:\windows\Tasks\At72.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 ))))))))))))))))))))))))))))))) . 2010-10-04 18:10 . 2010-10-04 18:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2010-09-29 23:37 . 2010-09-29 23:37 -------- d-----w- c:\program files\Trend Micro 2010-09-29 23:31 . 2010-09-29 23:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2010-09-29 23:07 . 2010-09-29 23:07 -------- d-----w- c:\program files\CCleaner 2010-09-28 21:17 . 2010-09-28 21:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-09-28 20:19 . 2010-09-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Update 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-09-28 16:06 . 2010-10-06 12:40 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-23 20:10 . 2010-09-23 22:24 -------- d-----w- c:\documents and settings\Owner\workspace 2010-09-15 13:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll 2010-09-15 13:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll 2010-09-15 13:27 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-09-15 13:27 . 2010-09-15 13:28 -------- d-----w- c:\windows\system32\ZoneLabs 2010-09-15 13:27 . 2010-09-15 13:27 -------- d-----w- c:\program files\Zone Labs 2010-09-15 13:01 . 2010-09-15 13:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-sse.dll 2010-09-15 13:01 . 2010-09-15 13:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcp71.dll 2010-09-15 13:01 . 2010-09-15 13:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\jmc.dll 2010-09-15 13:01 . 2010-09-15 13:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcr71.dll 2010-09-15 13:01 . 2010-09-15 13:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-d3d.dll 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\.thumbnails 2010-09-09 20:20 . 2010-09-09 20:20 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-09 20:20 . 2010-09-09 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org 2010-09-09 19:12 . 2010-09-09 19:12 -------- d-----w- c:\program files\JRE 2010-09-09 19:11 . 2010-09-09 19:12 -------- d-----w- c:\program files\OpenOffice.org 3 2010-09-09 19:11 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-09 15:50 . 2010-09-12 15:36 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6 2010-09-09 15:42 . 2010-09-09 15:42 -------- d-----w- c:\program files\GIMP-2.0 2010-09-09 14:29 . 2010-09-09 14:29 -------- d-----w- c:\program files\Paint.NET 2010-09-09 14:29 . 2010-09-09 15:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Paint.NET 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\Common Files\IKE Software 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\IKE Software 2010-09-07 13:17 . 2010-09-07 13:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-06 14:38 . 2005-11-23 01:15 -------- d-----w- c:\program files\QuickTime 2010-10-05 13:52 . 2010-10-05 13:52 112 ----a-w- c:\documents and settings\All Users\Application Data\hgTGm6Gd.dat 2010-09-30 17:44 . 2010-10-06 14:39 94212 ----a-w- c:\windows\Fonts\mO8P6.com 2010-09-30 17:44 . 2004-08-26 16:12 94212 ----a-w- c:\windows\system32\rundll32.exe 2010-09-29 14:09 . 2009-12-29 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-28 14:02 . 2010-09-28 14:01 1595492 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-09-26 14:26 . 2006-01-27 15:00 222296 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-21 14:00 . 2005-11-23 01:08 -------- d-----w- c:\program files\Google 2010-09-15 13:28 . 2008-06-17 17:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Common Files\Java 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Java 2010-08-24 21:07 . 2010-08-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack 2010-08-17 13:17 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-02 21:04 . 2010-08-02 21:03 21706717 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_08_02_14_28_05_full.dmp.zip 2010-07-22 15:49 . 2004-08-26 16:12 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-11-04 18:11 5120 ----a-w- c:\windows\system32\xpsp4res.dll . <pre> c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe </pre> ((((((((((((((((((((((((((((( SnapShot@2010-10-01_18.37.06 ))))))))))))))))))))))))))))))))))))))))) . + 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe - 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-06 14:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk backup=c:\windows\pss\SmartUI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] c:\program files\QuickTime\qttask .exe -atboottime [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2010-07-11 15:19 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp] c:\progra~1\McAfee.com\Shared\mcappins.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2002-08-12 16:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE] c:\progra~1\mcafee\SPAMKI~1\mskagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2005-09-18 16:32 7204864 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2005-09-18 16:32 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-09-18 16:32 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] c:\program files\McAfee.com\VSO\oasclnt.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2002-08-12 15:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2005-09-26 23:07 90112 ----a-w- c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] c:\program files\McAfee.com\VSO\mcvsshld.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 11:12 AM 335240] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2008 11:11 AM 297752] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2010 7:52 AM 136176] S2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/18/2007 3:46 PM 53307] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/5/2007 11:18 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/5/2007 11:18 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/5/2007 11:18 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/5/2007 11:18 AM 60416] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] 2010-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netpv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: fastestdeploy.com Trusted Zone: fastestdeploy.com TCP: {3DE59C59-FDC2-4F37-B00C-58CB922765A3} = 192.168.1.1 DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm8vhal9.default\ FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2010-10-06 10:41:15 ComboFix-quarantined-files.txt 2010-10-06 14:41 ComboFix2.txt 2010-10-03 13:59 ComboFix3.txt 2010-10-01 18:40 Pre-Run: 35,293,847,552 bytes free Post-Run: 35,385,004,032 bytes free - - End Of File - - 5C37CFA6693360F74F8F6D5A143465A3

I ran MBAM then Kaspersky Online Scanner 7 as you advised. Reports below. 1 - Kaspersky reports the computer as infected and I think it is as... ... at Power Up in normal mode Zone Alarm reports Rundll32.exe is attempting to go to ip address 83.133.119.139 DNS... ... and I Googled this ip address and it looks like a malware site... ... do you know if it is? 2 - And... Does Kaskersky fix the problems it found ? If not how? OH, I had to run Kaspersky in Windows XP Pro Safe mode... it reported it could not stay connected in normal mode. But it load the Java Virtual Machine and ran fine in Safe Mode. Thanks again for all the great help. === MBAM Report Start === Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4741 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/4/2010 3:15:35 PM mbam-log-2010-10-04 (15-15-35).txt Scan type: Quick scan Objects scanned: 144701 Time elapsed: 6 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Fonts\mO8P6.com (Malware.Generic) -> Quarantined and deleted successfully. === MBAM Report End === === KasReport Start === -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, October 5, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, October 05, 2010 11:10:02 Records in database: 4281827 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Objects scanned: 93102 Threats found: 7 Infected objects found: 52 Suspicious objects found: 0 Scan duration: 02:57:09 File name / Threat / Threats count C:\Documents and Settings\All Users\Application Data\QC44k87A.exe Infected: Trojan.Win32.Powp.gen 1 C:\Documents and Settings\Owner\My Documents\Downloads\irc\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1 C:\Documents and Settings\Owner\My Documents\Downloads\irc\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1 C:\Documents from Prior Use\My Downloads\VNC\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask .exe Infected: Trojan.Win32.Powp.gen 1 C:\Program Files\QuickTime\qttask.exe Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update\jusched.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1 C:\Qoobox\Quarantine\C\Program Files\Scansoft\PaperPort\IndexSearch.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\Program Files\Scansoft\PaperPort\pptd40nt.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\PROGRA~1\AVG\AVG8\avgtray.exe.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\C\WINDOWS\Fonts\mO8P6.com.vir Infected: Trojan.Win32.Powp.gen 1 C:\Qoobox\Quarantine\[4]-Submit_2010-10-02_11.00.13.zip Infected: Trojan-Downloader.Win32.Mufanom.airf 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1003\A0081936.dll Infected: Trojan-PSW.Win32.Agent.uhe 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083334.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083335.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083336.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083337.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083338.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1005\A0083340.com Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083783.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083785.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083786.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083787.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083788.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083789.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083790.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083793.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083794.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0083796.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084007.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084008.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084009.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084010.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084011.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084012.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084013.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084014.exe Infected: Trojan.Win32.Powp.gen 1 C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1006\A0084020.com Infected: Trojan.Win32.Powp.gen 1 C:\WINDOWS\Fonts\mO8P6.com Infected: Trojan.Win32.Powp.gen 1 C:\WINDOWS\system32\rundll32.exe Infected: Trojan.Win32.Powp.gen 1 Selected area has been scanned. === KasReport End ===

Here it is. Unfortunately I did not disable ZoneAlarm as instructed. (Reflex to leave it on I guess Let me know if I need to run it again... or whatever is the next step. Thanks again for the help !!!! ComboFix 10-09-30.03 - Owner 10/03/2010 9:44.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.558 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Security\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\Security\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\windows\Fonts\mO8P6.com" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Fonts\mO8P6.com c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 ))))))))))))))))))))))))))))))) . 2010-09-29 23:37 . 2010-09-29 23:37 -------- d-----w- c:\program files\Trend Micro 2010-09-29 23:31 . 2010-09-29 23:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2010-09-29 23:07 . 2010-09-29 23:07 -------- d-----w- c:\program files\CCleaner 2010-09-28 21:17 . 2010-09-28 21:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-09-28 20:19 . 2010-09-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Update 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-09-28 16:06 . 2010-10-02 12:30 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-23 20:10 . 2010-09-23 22:24 -------- d-----w- c:\documents and settings\Owner\workspace 2010-09-15 13:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll 2010-09-15 13:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll 2010-09-15 13:27 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-09-15 13:27 . 2010-09-15 13:28 -------- d-----w- c:\windows\system32\ZoneLabs 2010-09-15 13:27 . 2010-09-15 13:27 -------- d-----w- c:\program files\Zone Labs 2010-09-15 13:01 . 2010-09-15 13:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-sse.dll 2010-09-15 13:01 . 2010-09-15 13:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcp71.dll 2010-09-15 13:01 . 2010-09-15 13:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\jmc.dll 2010-09-15 13:01 . 2010-09-15 13:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcr71.dll 2010-09-15 13:01 . 2010-09-15 13:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-d3d.dll 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\.thumbnails 2010-09-09 20:20 . 2010-09-09 20:20 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-09 20:20 . 2010-09-09 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org 2010-09-09 19:12 . 2010-09-09 19:12 -------- d-----w- c:\program files\JRE 2010-09-09 19:11 . 2010-09-09 19:12 -------- d-----w- c:\program files\OpenOffice.org 3 2010-09-09 19:11 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-09 15:50 . 2010-09-12 15:36 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6 2010-09-09 15:42 . 2010-09-09 15:42 -------- d-----w- c:\program files\GIMP-2.0 2010-09-09 14:29 . 2010-09-09 14:29 -------- d-----w- c:\program files\Paint.NET 2010-09-09 14:29 . 2010-09-09 15:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Paint.NET 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\Common Files\IKE Software 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\IKE Software 2010-09-07 13:17 . 2010-09-07 13:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-02 15:00 . 2005-11-23 01:15 -------- d-----w- c:\program files\QuickTime 2010-09-30 17:44 . 2004-08-26 16:12 94212 ----a-w- c:\windows\system32\rundll32.exe 2010-09-29 14:09 . 2009-12-29 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-28 14:02 . 2010-09-28 14:01 1595492 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-09-26 14:26 . 2006-01-27 15:00 222296 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-21 14:00 . 2005-11-23 01:08 -------- d-----w- c:\program files\Google 2010-09-15 13:28 . 2008-06-17 17:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Common Files\Java 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Java 2010-08-24 21:07 . 2010-08-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack 2010-08-17 13:17 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-02 21:04 . 2010-08-02 21:03 21706717 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_08_02_14_28_05_full.dmp.zip 2010-07-22 15:49 . 2004-08-26 16:12 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-11-04 18:11 5120 ----a-w- c:\windows\system32\xpsp4res.dll . <pre> c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-06 14:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk backup=c:\windows\pss\SmartUI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] c:\program files\QuickTime\qttask .exe -atboottime [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2010-07-11 15:19 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp] c:\progra~1\McAfee.com\Shared\mcappins.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2002-08-12 16:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE] c:\progra~1\mcafee\SPAMKI~1\mskagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2005-09-18 16:32 7204864 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2005-09-18 16:32 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-09-18 16:32 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] c:\program files\McAfee.com\VSO\oasclnt.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2002-08-12 15:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2005-09-26 23:07 90112 ----a-w- c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] c:\program files\McAfee.com\VSO\mcvsshld.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 11:12 AM 335240] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2008 11:11 AM 297752] R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/18/2007 3:46 PM 53307] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2010 7:52 AM 136176] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/5/2007 11:18 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/5/2007 11:18 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/5/2007 11:18 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/5/2007 11:18 AM 60416] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] 2010-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netpv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: fastestdeploy.com Trusted Zone: fastestdeploy.com TCP: {3DE59C59-FDC2-4F37-B00C-58CB922765A3} = 192.168.1.1 TCP: {F8A6B7D6-4685-44F7-BBBC-CD647744A0FD} = 192.168.1.1 DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm8vhal9.default\ FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-10-03 09:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3040) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\brss01a.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wdfmgr.exe c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe c:\windows\system32\rundll32.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-10-03 09:59:06 - machine was rebooted ComboFix-quarantined-files.txt 2010-10-03 13:59 ComboFix2.txt 2010-10-01 18:40 Pre-Run: 33,756,065,792 bytes free Post-Run: 33,726,259,200 bytes free - - End Of File - - 001F2C58200AA2B875AF0694A9C2AA1E

Thanks again for the help. Here are the log files. Couple of points. 1 - TDSSKiller rebooted & created two logs. First log first. Second log second. 2 - Forgot to disable ZoneAlarm after pasting code into & running ComboFix but log included. ---------------------------------------------------------- START TDSSKiller log before reboot 2010/10/02 09:52:38.0777 TDSS rootkit removing tool 2.4.3.0 Sep 27 2010 15:28:54 2010/10/02 09:52:38.0777 ================================================================================ 2010/10/02 09:52:38.0777 SystemInfo: 2010/10/02 09:52:38.0777 2010/10/02 09:52:38.0777 OS Version: 5.1.2600 ServicePack: 3.0 2010/10/02 09:52:38.0777 Product type: Workstation 2010/10/02 09:52:38.0777 ComputerName: OFFICE 2010/10/02 09:52:38.0787 UserName: Owner 2010/10/02 09:52:38.0787 Windows directory: C:\WINDOWS 2010/10/02 09:52:38.0787 System windows directory: C:\WINDOWS 2010/10/02 09:52:38.0787 Processor architecture: Intel x86 2010/10/02 09:52:38.0787 Number of processors: 1 2010/10/02 09:52:38.0787 Page size: 0x1000 2010/10/02 09:52:38.0787 Boot type: Normal boot 2010/10/02 09:52:38.0787 ================================================================================ 2010/10/02 09:52:39.0068 Initialize success 2010/10/02 09:53:14.0198 ================================================================================ 2010/10/02 09:53:14.0198 Scan started 2010/10/02 09:53:14.0198 Mode: Manual; 2010/10/02 09:53:14.0198 ================================================================================ 2010/10/02 09:53:14.0839 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2010/10/02 09:53:15.0060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/10/02 09:53:15.0250 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/10/02 09:53:15.0470 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2010/10/02 09:53:15.0660 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/10/02 09:53:15.0921 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2010/10/02 09:53:16.0151 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/10/02 09:53:16.0351 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2010/10/02 09:53:16.0562 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2010/10/02 09:53:16.0782 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2010/10/02 09:53:16.0992 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2010/10/02 09:53:17.0233 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2010/10/02 09:53:17.0543 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2010/10/02 09:53:17.0894 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2010/10/02 09:53:18.0084 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2010/10/02 09:53:18.0274 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2010/10/02 09:53:18.0464 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2010/10/02 09:53:18.0665 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2010/10/02 09:53:18.0845 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2010/10/02 09:53:19.0045 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2010/10/02 09:53:19.0236 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2010/10/02 09:53:19.0466 ASPI32 (31ed89badd47130ad57cce8c8dfb5b27) C:\WINDOWS\system32\drivers\ASPI32.sys 2010/10/02 09:53:19.0656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/10/02 09:53:19.0897 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/10/02 09:53:20.0257 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/10/02 09:53:20.0477 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/10/02 09:53:20.0728 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys 2010/10/02 09:53:20.0948 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys 2010/10/02 09:53:21.0138 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/10/02 09:53:21.0329 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys 2010/10/02 09:53:21.0559 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys 2010/10/02 09:53:21.0759 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys 2010/10/02 09:53:21.0980 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys 2010/10/02 09:53:22.0290 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2010/10/02 09:53:22.0470 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/10/02 09:53:22.0651 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2010/10/02 09:53:22.0841 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/10/02 09:53:23.0041 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/10/02 09:53:23.0251 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys 2010/10/02 09:53:23.0422 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys 2010/10/02 09:53:23.0622 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/10/02 09:53:24.0032 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2010/10/02 09:53:24.0233 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2010/10/02 09:53:24.0453 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2010/10/02 09:53:24.0653 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2010/10/02 09:53:24.0854 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/10/02 09:53:25.0124 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/10/02 09:53:25.0334 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/10/02 09:53:25.0525 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/10/02 09:53:25.0705 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/10/02 09:53:25.0905 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2010/10/02 09:53:26.0105 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/10/02 09:53:26.0326 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/10/02 09:53:26.0536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/10/02 09:53:26.0746 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/10/02 09:53:26.0967 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/10/02 09:53:27.0187 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/10/02 09:53:27.0397 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/10/02 09:53:27.0608 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/10/02 09:53:27.0808 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/10/02 09:53:27.0978 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS 2010/10/02 09:53:28.0178 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/10/02 09:53:28.0379 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2010/10/02 09:53:28.0589 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 2010/10/02 09:53:28.0829 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 2010/10/02 09:53:29.0100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/10/02 09:53:29.0310 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2010/10/02 09:53:29.0480 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2010/10/02 09:53:29.0671 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/10/02 09:53:29.0861 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/10/02 09:53:30.0071 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2010/10/02 09:53:30.0271 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/10/02 09:53:30.0472 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/10/02 09:53:30.0672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/10/02 09:53:30.0862 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/10/02 09:53:31.0053 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/10/02 09:53:31.0283 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/10/02 09:53:31.0503 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/10/02 09:53:31.0714 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/10/02 09:53:31.0904 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/10/02 09:53:32.0084 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/10/02 09:53:32.0284 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/10/02 09:53:32.0515 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/10/02 09:53:32.0905 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2010/10/02 09:53:33.0156 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys 2010/10/02 09:53:33.0356 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/10/02 09:53:33.0546 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/10/02 09:53:33.0746 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/10/02 09:53:34.0177 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/10/02 09:53:34.0407 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/10/02 09:53:34.0588 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2010/10/02 09:53:34.0768 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/10/02 09:53:35.0028 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/10/02 09:53:35.0349 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/10/02 09:53:35.0539 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/10/02 09:53:35.0749 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/10/02 09:53:35.0940 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/10/02 09:53:36.0120 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/10/02 09:53:36.0390 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/10/02 09:53:36.0591 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys 2010/10/02 09:53:36.0841 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/10/02 09:53:37.0031 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/10/02 09:53:37.0252 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/10/02 09:53:37.0442 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/10/02 09:53:37.0632 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/10/02 09:53:37.0822 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/10/02 09:53:38.0043 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/10/02 09:53:38.0313 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/10/02 09:53:38.0503 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/10/02 09:53:38.0744 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/10/02 09:53:39.0054 nv (84c65aa58ae1ede93716439267a23d40) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2010/10/02 09:53:39.0405 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2010/10/02 09:53:39.0625 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2010/10/02 09:53:39.0825 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/10/02 09:53:40.0025 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/10/02 09:53:40.0226 ONSIO (788f97dfc016ded8fe910e1f34e6462c) C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS 2010/10/02 09:53:40.0486 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys 2010/10/02 09:53:40.0676 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/10/02 09:53:40.0877 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/10/02 09:53:41.0087 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/10/02 09:53:41.0317 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/10/02 09:53:41.0678 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/10/02 09:53:41.0868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/10/02 09:53:42.0459 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2010/10/02 09:53:42.0689 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2010/10/02 09:53:42.0910 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/10/02 09:53:43.0110 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/10/02 09:53:43.0290 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/10/02 09:53:43.0511 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/10/02 09:53:43.0721 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/10/02 09:53:43.0901 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2010/10/02 09:53:44.0121 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2010/10/02 09:53:44.0302 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2010/10/02 09:53:44.0522 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2010/10/02 09:53:44.0712 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2010/10/02 09:53:44.0903 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/10/02 09:53:45.0093 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/10/02 09:53:45.0293 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/10/02 09:53:45.0513 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/10/02 09:53:45.0734 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/10/02 09:53:45.0954 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/10/02 09:53:46.0154 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/10/02 09:53:46.0365 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/10/02 09:53:46.0575 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/10/02 09:53:46.0805 rt2500usb (9621807bf414bca55b3ef3c4591a2f20) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys 2010/10/02 09:53:47.0046 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/10/02 09:53:47.0226 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/10/02 09:53:47.0456 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/10/02 09:53:47.0666 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2010/10/02 09:53:48.0037 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2010/10/02 09:53:48.0237 SMPLSCSI (405efa5a9748155af1f90aa1a26b6503) C:\WINDOWS\system32\drivers\SMPLSCSI.SYS 2010/10/02 09:53:48.0418 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2010/10/02 09:53:48.0648 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/10/02 09:53:48.0858 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/10/02 09:53:49.0079 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/10/02 09:53:49.0309 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys 2010/10/02 09:53:49.0489 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/10/02 09:53:49.0679 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/10/02 09:53:49.0890 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2010/10/02 09:53:50.0080 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2010/10/02 09:53:50.0280 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2010/10/02 09:53:50.0491 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2010/10/02 09:53:50.0711 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/10/02 09:53:51.0001 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/10/02 09:53:51.0202 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/10/02 09:53:51.0402 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/10/02 09:53:51.0642 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/10/02 09:53:51.0842 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2010/10/02 09:53:52.0043 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/10/02 09:53:52.0253 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2010/10/02 09:53:52.0453 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/10/02 09:53:52.0734 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2010/10/02 09:53:52.0924 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/10/02 09:53:53.0114 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/10/02 09:53:53.0305 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/10/02 09:53:53.0485 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/10/02 09:53:53.0705 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/10/02 09:53:53.0905 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/10/02 09:53:54.0066 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/10/02 09:53:54.0276 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/10/02 09:53:54.0466 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys 2010/10/02 09:53:54.0687 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/10/02 09:53:54.0907 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2010/10/02 09:53:55.0097 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2010/10/02 09:53:55.0327 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/10/02 09:53:55.0508 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys 2010/10/02 09:53:55.0718 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/10/02 09:53:55.0918 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2010/10/02 09:53:56.0259 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/10/02 09:53:56.0489 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 2010/10/02 09:53:56.0659 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0) 2010/10/02 09:53:56.0659 ================================================================================ 2010/10/02 09:53:56.0659 Scan finished 2010/10/02 09:53:56.0659 ================================================================================ 2010/10/02 09:53:56.0679 Detected object count: 1 2010/10/02 09:54:24.0800 \HardDisk0\MBR - will be cured after reboot 2010/10/02 09:54:24.0800 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure 2010/10/02 09:54:31.0039 Deinitialize success ---------------------------------------------------------- END TDSSKiller log before reboot ---------------------------------------------------------- START TDSSKiller log AFTER reboot 2010/10/02 09:59:27.0160 TDSS rootkit removing tool 2.4.3.0 Sep 27 2010 15:28:54 2010/10/02 09:59:27.0160 ================================================================================ 2010/10/02 09:59:27.0160 SystemInfo: 2010/10/02 09:59:27.0160 2010/10/02 09:59:27.0160 OS Version: 5.1.2600 ServicePack: 3.0 2010/10/02 09:59:27.0160 Product type: Workstation 2010/10/02 09:59:27.0160 ComputerName: OFFICE 2010/10/02 09:59:27.0160 UserName: Owner 2010/10/02 09:59:27.0160 Windows directory: C:\WINDOWS 2010/10/02 09:59:27.0160 System windows directory: C:\WINDOWS 2010/10/02 09:59:27.0160 Processor architecture: Intel x86 2010/10/02 09:59:27.0160 Number of processors: 1 2010/10/02 09:59:27.0160 Page size: 0x1000 2010/10/02 09:59:27.0160 Boot type: Normal boot 2010/10/02 09:59:27.0160 ================================================================================ 2010/10/02 09:59:27.0380 Initialize success 2010/10/02 09:59:30.0695 ================================================================================ 2010/10/02 09:59:30.0695 Scan started 2010/10/02 09:59:30.0695 Mode: Manual; 2010/10/02 09:59:30.0695 ================================================================================ 2010/10/02 09:59:31.0967 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2010/10/02 09:59:32.0197 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/10/02 09:59:32.0548 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/10/02 09:59:32.0798 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2010/10/02 09:59:32.0988 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/10/02 09:59:33.0199 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2010/10/02 09:59:33.0439 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/10/02 09:59:33.0629 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2010/10/02 09:59:33.0839 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2010/10/02 09:59:34.0060 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2010/10/02 09:59:34.0320 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2010/10/02 09:59:34.0561 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2010/10/02 09:59:34.0871 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2010/10/02 09:59:35.0191 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2010/10/02 09:59:35.0402 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2010/10/02 09:59:35.0622 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2010/10/02 09:59:35.0822 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2010/10/02 09:59:36.0023 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2010/10/02 09:59:36.0203 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2010/10/02 09:59:36.0383 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2010/10/02 09:59:36.0583 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2010/10/02 09:59:36.0814 ASPI32 (31ed89badd47130ad57cce8c8dfb5b27) C:\WINDOWS\system32\drivers\ASPI32.sys 2010/10/02 09:59:37.0004 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/10/02 09:59:37.0224 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/10/02 09:59:37.0585 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/10/02 09:59:37.0805 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/10/02 09:59:38.0046 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys 2010/10/02 09:59:38.0246 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys 2010/10/02 09:59:38.0436 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/10/02 09:59:38.0636 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys 2010/10/02 09:59:38.0857 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys 2010/10/02 09:59:39.0067 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys 2010/10/02 09:59:39.0267 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys 2010/10/02 09:59:39.0628 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2010/10/02 09:59:39.0808 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/10/02 09:59:39.0998 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2010/10/02 09:59:40.0189 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/10/02 09:59:40.0409 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/10/02 09:59:40.0599 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys 2010/10/02 09:59:40.0789 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys 2010/10/02 09:59:40.0980 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/10/02 09:59:41.0310 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2010/10/02 09:59:41.0521 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2010/10/02 09:59:41.0911 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2010/10/02 09:59:42.0191 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2010/10/02 09:59:42.0402 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/10/02 09:59:42.0602 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/10/02 09:59:42.0822 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/10/02 09:59:43.0013 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/10/02 09:59:43.0193 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/10/02 09:59:43.0423 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2010/10/02 09:59:43.0604 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/10/02 09:59:43.0824 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/10/02 09:59:44.0034 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/10/02 09:59:44.0244 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/10/02 09:59:44.0435 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/10/02 09:59:44.0645 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/10/02 09:59:44.0865 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/10/02 09:59:45.0076 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/10/02 09:59:45.0306 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/10/02 09:59:45.0466 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS 2010/10/02 09:59:45.0666 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/10/02 09:59:45.0877 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2010/10/02 09:59:46.0087 HSFHWBS2 (33dfc0afa95f9a2c753ff2adb7d4a21f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 2010/10/02 09:59:46.0347 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 2010/10/02 09:59:46.0628 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/10/02 09:59:46.0838 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2010/10/02 09:59:47.0018 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2010/10/02 09:59:47.0199 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/10/02 09:59:47.0389 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/10/02 09:59:47.0609 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2010/10/02 09:59:47.0800 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/10/02 09:59:47.0990 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/10/02 09:59:48.0190 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/10/02 09:59:48.0370 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/10/02 09:59:48.0561 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/10/02 09:59:48.0791 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/10/02 09:59:48.0971 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/10/02 09:59:49.0182 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/10/02 09:59:49.0422 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/10/02 09:59:49.0612 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2010/10/02 09:59:49.0782 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/10/02 09:59:50.0013 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/10/02 09:59:50.0403 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2010/10/02 09:59:50.0604 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys 2010/10/02 09:59:50.0804 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/10/02 09:59:50.0984 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/10/02 09:59:51.0184 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/10/02 09:59:51.0395 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/10/02 09:59:51.0625 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/10/02 09:59:51.0845 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2010/10/02 09:59:52.0036 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/10/02 09:59:52.0306 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/10/02 09:59:52.0556 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/10/02 09:59:52.0747 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/10/02 09:59:52.0927 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/10/02 09:59:53.0117 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/10/02 09:59:53.0327 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/10/02 09:59:53.0558 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/10/02 09:59:53.0758 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys 2010/10/02 09:59:54.0018 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/10/02 09:59:54.0219 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/10/02 09:59:54.0439 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/10/02 09:59:54.0629 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/10/02 09:59:54.0820 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/10/02 09:59:55.0010 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/10/02 09:59:55.0240 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/10/02 09:59:55.0481 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/10/02 09:59:55.0661 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/10/02 09:59:55.0901 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/10/02 09:59:56.0202 nv (84c65aa58ae1ede93716439267a23d40) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2010/10/02 09:59:56.0492 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2010/10/02 09:59:56.0712 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2010/10/02 09:59:56.0913 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/10/02 09:59:57.0103 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/10/02 09:59:57.0323 ONSIO (788f97dfc016ded8fe910e1f34e6462c) C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS 2010/10/02 09:59:57.0534 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys 2010/10/02 09:59:57.0724 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/10/02 09:59:57.0924 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/10/02 09:59:58.0124 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/10/02 09:59:58.0355 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/10/02 09:59:58.0715 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/10/02 09:59:58.0906 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/10/02 09:59:59.0737 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2010/10/02 09:59:59.0917 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2010/10/02 10:00:00.0127 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/10/02 10:00:00.0338 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/10/02 10:00:00.0518 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/10/02 10:00:00.0728 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/10/02 10:00:00.0938 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/10/02 10:00:01.0169 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2010/10/02 10:00:01.0369 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2010/10/02 10:00:01.0569 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2010/10/02 10:00:01.0760 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2010/10/02 10:00:01.0970 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2010/10/02 10:00:02.0150 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/10/02 10:00:02.0340 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/10/02 10:00:02.0531 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/10/02 10:00:02.0741 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/10/02 10:00:02.0981 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/10/02 10:00:03.0172 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/10/02 10:00:03.0372 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/10/02 10:00:03.0572 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/10/02 10:00:03.0783 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/10/02 10:00:04.0013 rt2500usb (9621807bf414bca55b3ef3c4591a2f20) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys 2010/10/02 10:00:04.0233 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/10/02 10:00:04.0433 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/10/02 10:00:04.0654 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/10/02 10:00:04.0854 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2010/10/02 10:00:05.0235 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2010/10/02 10:00:05.0445 SMPLSCSI (405efa5a9748155af1f90aa1a26b6503) C:\WINDOWS\system32\drivers\SMPLSCSI.SYS 2010/10/02 10:00:05.0665 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2010/10/02 10:00:05.0856 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/10/02 10:00:06.0056 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/10/02 10:00:06.0276 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/10/02 10:00:06.0486 SunkFilt (86ca1a5c15a5a98d5533945fb1120b05) C:\WINDOWS\System32\Drivers\sunkfilt.sys 2010/10/02 10:00:06.0667 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/10/02 10:00:06.0847 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/10/02 10:00:07.0067 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2010/10/02 10:00:07.0248 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2010/10/02 10:00:07.0458 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2010/10/02 10:00:07.0678 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2010/10/02 10:00:07.0858 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/10/02 10:00:08.0149 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/10/02 10:00:08.0429 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/10/02 10:00:08.0619 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/10/02 10:00:08.0830 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/10/02 10:00:09.0020 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2010/10/02 10:00:09.0220 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/10/02 10:00:09.0451 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2010/10/02 10:00:09.0661 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/10/02 10:00:09.0891 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2010/10/02 10:00:10.0082 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/10/02 10:00:10.0272 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/10/02 10:00:10.0462 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/10/02 10:00:10.0682 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2010/10/02 10:00:10.0863 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/10/02 10:00:11.0063 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/10/02 10:00:11.0243 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/10/02 10:00:11.0444 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/10/02 10:00:11.0634 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys 2010/10/02 10:00:11.0834 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/10/02 10:00:12.0064 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2010/10/02 10:00:12.0245 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2010/10/02 10:00:12.0465 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/10/02 10:00:12.0635 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys 2010/10/02 10:00:12.0826 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/10/02 10:00:13.0036 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2010/10/02 10:00:13.0376 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/10/02 10:00:13.0607 winachsf (2dc7c0b6175a0a8ed84a4f70199c93b5) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 2010/10/02 10:00:13.0787 ================================================================================ 2010/10/02 10:00:13.0787 Scan finished 2010/10/02 10:00:13.0787 ================================================================================ 2010/10/02 10:03:10.0711 Deinitialize success ---------------------------------------------------------- END TDSSKiller log AFTER reboot ---------------------------------------------------------- START ComboFix log ComboFix 10-09-30.03 - Owner 10/02/2010 11:00:20.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.576 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Security\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\Security\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\windows\Gpiwohewazuc.bin" file zipped: c:\windows\utibuvog.dll file zipped: c:\windows\Uxovokelodas.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Application Data\mjusbsp c:\documents and settings\Owner\Application Data\mjusbsp\_911offline.html c:\documents and settings\Owner\Application Data\mjusbsp\_shuttingdown.html c:\documents and settings\Owner\Application Data\mjusbsp\_shuttingdownS.html c:\documents and settings\Owner\Application Data\mjusbsp\_startupBanner.html c:\documents and settings\Owner\Application Data\mjusbsp\AECOctasic1.dll c:\documents and settings\Owner\Application Data\mjusbsp\AECOctasic2.dll c:\documents and settings\Owner\Application Data\mjusbsp\AECOctasic4.dll c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\magicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\magicJackSplash.exe c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\mjsetup.exe c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\splash.gif c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\WarningMJCouldNotStart.gif c:\documents and settings\Owner\Application Data\mjusbsp\big.skn c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2 .exe c:\documents and settings\Owner\Application Data\mjusbsp\closeWindow.png c:\documents and settings\Owner\Application Data\mjusbsp\gwoffline.html c:\documents and settings\Owner\Application Data\mjusbsp\gwoffline1.html c:\documents and settings\Owner\Application Data\mjusbsp\gwoffline1S.html c:\documents and settings\Owner\Application Data\mjusbsp\gwoffline2.html c:\documents and settings\Owner\Application Data\mjusbsp\gwoffline2S.html c:\documents and settings\Owner\Application Data\mjusbsp\gwofflineS.html c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJackSplash.exe c:\documents and settings\Owner\Application Data\mjusbsp\in00000\mjsetup.exe c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe c:\documents and settings\Owner\Application Data\mjusbsp\in00000\splash.gif c:\documents and settings\Owner\Application Data\mjusbsp\in00000\WarningMJCouldNotStart.gif c:\documents and settings\Owner\Application Data\mjusbsp\Loader.gif c:\documents and settings\Owner\Application Data\mjusbsp\lr00000\magicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.exe c:\documents and settings\Owner\Application Data\mjusbsp\magicJackLoader.exe c:\documents and settings\Owner\Application Data\mjusbsp\magicJackSplash.exe c:\documents and settings\Owner\Application Data\mjusbsp\mainBannerOffline.html c:\documents and settings\Owner\Application Data\mjusbsp\octvqe1_apiw.dll c:\documents and settings\Owner\Application Data\mjusbsp\octvqem_apiw.dll c:\documents and settings\Owner\Application Data\mjusbsp\reloadWindow.png c:\documents and settings\Owner\Application Data\mjusbsp\SJHandsetMagicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\small.skn c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJackSplash.exe c:\documents and settings\Owner\Application Data\mjusbsp\st00000\mjsetup.exe c:\documents and settings\Owner\Application Data\mjusbsp\st00000\splash.gif c:\documents and settings\Owner\Application Data\mjusbsp\st00000\WarningMJCouldNotStart.gif c:\documents and settings\Owner\Application Data\mjusbsp\TjIpSys.dll c:\documents and settings\Owner\Application Data\mjusbsp\TjVista.dll c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJack.dll c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJackSplash.exe c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\setup.exe c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\splash.gif c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\WarningMJCouldNotStart.gif c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install1.exe c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install1.ini c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\setup1.exe c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\setup1.ini c:\documents and settings\Owner\Application Data\mjusbsp\WarningMJCouldNotStart.gif c:\documents and settings\Owner\Application Data\mjusbsp\WarningNoDeviceFound.gif c:\documents and settings\Owner\Application Data\mjusbsp\wroffline.html c:\documents and settings\Owner\Application Data\mjusbsp\wroffline1.html c:\documents and settings\Owner\Application Data\mjusbsp\wroffline1S.html c:\documents and settings\Owner\Application Data\mjusbsp\wrofflineS.html c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120} c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\chrome.manifest c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\chrome\content\_cfg.js c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\chrome\content\overlay.xul c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\install.rdf c:\windows\Gpiwohewazuc.bin c:\windows\utibuvog.dll c:\windows\Uxovokelodas.dat . ((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 ))))))))))))))))))))))))))))))) . 2010-09-29 23:37 . 2010-09-29 23:37 -------- d-----w- c:\program files\Trend Micro 2010-09-29 23:31 . 2010-09-29 23:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2010-09-29 23:07 . 2010-09-29 23:07 -------- d-----w- c:\program files\CCleaner 2010-09-28 21:17 . 2010-09-28 21:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-09-28 20:19 . 2010-09-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Update 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-09-28 16:06 . 2010-10-02 12:30 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-23 20:10 . 2010-09-23 22:24 -------- d-----w- c:\documents and settings\Owner\workspace 2010-09-15 13:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll 2010-09-15 13:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll 2010-09-15 13:27 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-09-15 13:27 . 2010-09-15 13:28 -------- d-----w- c:\windows\system32\ZoneLabs 2010-09-15 13:27 . 2010-09-15 13:27 -------- d-----w- c:\program files\Zone Labs 2010-09-15 13:01 . 2010-09-15 13:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-sse.dll 2010-09-15 13:01 . 2010-09-15 13:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcp71.dll 2010-09-15 13:01 . 2010-09-15 13:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\jmc.dll 2010-09-15 13:01 . 2010-09-15 13:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcr71.dll 2010-09-15 13:01 . 2010-09-15 13:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-d3d.dll 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\.thumbnails 2010-09-09 20:20 . 2010-09-09 20:20 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-09 20:20 . 2010-09-09 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org 2010-09-09 19:12 . 2010-09-09 19:12 -------- d-----w- c:\program files\JRE 2010-09-09 19:11 . 2010-09-09 19:12 -------- d-----w- c:\program files\OpenOffice.org 3 2010-09-09 19:11 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-09 15:50 . 2010-09-12 15:36 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6 2010-09-09 15:42 . 2010-09-09 15:42 -------- d-----w- c:\program files\GIMP-2.0 2010-09-09 14:29 . 2010-09-09 14:29 -------- d-----w- c:\program files\Paint.NET 2010-09-09 14:29 . 2010-09-09 15:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Paint.NET 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\Common Files\IKE Software 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\IKE Software 2010-09-07 13:17 . 2010-09-07 13:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-02 15:00 . 2005-11-23 01:15 -------- d-----w- c:\program files\QuickTime 2010-09-30 17:44 . 2010-10-02 15:08 94212 ----a-w- c:\windows\Fonts\mO8P6.com 2010-09-30 17:44 . 2004-08-26 16:12 94212 ----a-w- c:\windows\system32\rundll32.exe 2010-09-29 14:09 . 2009-12-29 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-28 14:02 . 2010-09-28 14:01 1595492 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-09-26 14:26 . 2006-01-27 15:00 222296 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-21 14:00 . 2005-11-23 01:08 -------- d-----w- c:\program files\Google 2010-09-15 13:28 . 2008-06-17 17:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Common Files\Java 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Java 2010-08-24 21:07 . 2010-08-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack 2010-08-17 13:17 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-02 21:04 . 2010-08-02 21:03 21706717 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_08_02_14_28_05_full.dmp.zip 2010-07-22 15:49 . 2004-08-26 16:12 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-11-04 18:11 5120 ----a-w- c:\windows\system32\xpsp4res.dll . <pre> c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe </pre> (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120} ---- 2010-09-28 20:20 . 2010-09-28 20:20 5954 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\chrome\content\overlay.xul 2010-09-28 20:20 . 2010-09-28 20:20 2120 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\chrome\content\_cfg.js 2010-09-28 20:20 . 2010-09-28 20:20 764 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\install.rdf 2010-09-28 20:20 . 2010-09-28 20:20 122 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120}\chrome.manifest ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-06 14:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk backup=c:\windows\pss\SmartUI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] c:\program files\QuickTime\qttask .exe -atboottime [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] 2010-07-11 15:19 2048352 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp] c:\progra~1\McAfee.com\Shared\mcappins.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] 2002-08-12 16:07 36864 ----a-w- c:\program files\Scansoft\PaperPort\IndexSearch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE] c:\progra~1\mcafee\SPAMKI~1\mskagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2005-09-18 16:32 7204864 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2005-09-18 16:32 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-09-18 16:32 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] c:\program files\McAfee.com\VSO\oasclnt.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] 2002-08-12 15:33 45108 ----a-w- c:\program files\Scansoft\PaperPort\pptd40nt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2005-09-26 23:07 90112 ----a-w- c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] c:\program files\McAfee.com\VSO\mcvsshld.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 11:12 AM 335240] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2008 11:11 AM 297752] R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/18/2007 3:46 PM 53307] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2010 7:52 AM 136176] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/5/2007 11:18 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/5/2007 11:18 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/5/2007 11:18 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/5/2007 11:18 AM 60416] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-10-02 c:\windows\Tasks\At1.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At10.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At11.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At12.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At13.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At14.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At15.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At16.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At17.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At18.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At19.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At2.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At20.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At21.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At22.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At23.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At24.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At3.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At4.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At5.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At6.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At7.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At8.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\At9.job - c:\windows\Fonts\mO8P6.com [2010-10-02 17:44] 2010-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] 2010-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netpv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: fastestdeploy.com Trusted Zone: fastestdeploy.com TCP: {3DE59C59-FDC2-4F37-B00C-58CB922765A3} = 192.168.1.1 TCP: {F8A6B7D6-4685-44F7-BBBC-CD647744A0FD} = 192.168.1.1 DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm8vhal9.default\ FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - AddRemove-magicJack - c:\documents and settings\Owner\Application Data\mjusbsp\magicJackLoader.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-10-02 11:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2080) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\IME\SPGRMR.DLL c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\brss01a.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wdfmgr.exe c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\RUNDLL32.EXE . ************************************************************************** . Completion time: 2010-10-02 11:14:58 - machine was rebooted ComboFix-quarantined-files.txt 2010-10-02 15:14 ComboFix2.txt 2010-10-01 18:40 Pre-Run: 33,843,892,224 bytes free Post-Run: 33,789,845,504 bytes free - - End Of File - - 351247D28833B93C97521F87CE5C6B04

Well I did have a problem with ComboFix. It reported "rootkit" and needed to restart... but the restart didn't go right and AVG 8.5 & ZoneAlarm turned back on during boot. I think I successfully disabled AVG & ZA from starting on reboot... and then re-ran ComboFix (before I saw I shouldn't ComboFix ran, reported rootkit, I clicked OK to restart the computer per ComboFix's instructions Log below... (Thank you so much for your help) ComboFix 10-09-30.03 - Owner 10/01/2010 14:22:42.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.591 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\Security\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Application Data\Bitrix Security c:\documents and settings\Owner\Application Data\Bitrix Security\hjzvk c:\documents and settings\Owner\Application Data\Bitrix Security\hwwkat9_shrd c:\documents and settings\Owner\Application Data\Bitrix Security\qnf.txt c:\documents and settings\Owner\Application Data\jsdfgs.bat c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe c:\progra~1\AVG\AVG8\avgtray.exe c:\program files\Common Files\Java\Java Update\jusched.exe c:\program files\Mozilla Firefox\searchplugins\google_search.xml c:\program files\Scansoft\PaperPort\IndexSearch.exe c:\program files\Scansoft\PaperPort\pptd40nt.exe c:\windows\AutoRun.ini c:\windows\Downloaded Program Files\Install.inf c:\windows\Fonts\mO8P6.com c:\windows\system32\18467.exe c:\windows\system32\19169.exe c:\windows\system32\26500.exe c:\windows\system32\6334.exe c:\windows\system32\ES17.exe c:\windows\system32\spool\prtprocs\w32x86\CNMPP75.DLL c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 ))))))))))))))))))))))))))))))) . 2010-09-29 23:37 . 2010-09-29 23:37 -------- d-----w- c:\program files\Trend Micro 2010-09-29 23:31 . 2010-09-29 23:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla 2010-09-29 23:07 . 2010-09-29 23:07 -------- d-----w- c:\program files\CCleaner 2010-09-29 21:23 . 2010-09-09 12:16 10818904 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe 2010-09-29 21:23 . 2010-09-09 12:09 840200 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe 2010-09-28 21:17 . 2010-09-28 21:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-09-28 20:20 . 2010-09-29 23:05 120 ----a-w- c:\windows\Uxovokelodas.dat 2010-09-28 20:20 . 2010-09-29 13:51 0 ----a-w- c:\windows\Gpiwohewazuc.bin 2010-09-28 20:20 . 2010-09-28 20:20 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120} 2010-09-28 20:19 . 2010-09-29 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Update 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-28 19:37 . 2010-09-28 19:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-09-28 16:06 . 2010-10-01 14:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-24 19:32 . 2010-09-09 12:16 10818904 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\setup1.exe 2010-09-24 19:32 . 2010-09-09 12:09 840200 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\Upgrade\install1.exe 2010-09-23 20:10 . 2010-09-23 22:24 -------- d-----w- c:\documents and settings\Owner\workspace 2010-09-15 13:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll 2010-09-15 13:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll 2010-09-15 13:27 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-09-15 13:27 . 2010-09-15 13:28 -------- d-----w- c:\windows\system32\ZoneLabs 2010-09-15 13:27 . 2010-09-15 13:27 -------- d-----w- c:\program files\Zone Labs 2010-09-15 13:01 . 2010-09-15 13:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-sse.dll 2010-09-15 13:01 . 2010-09-15 13:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcp71.dll 2010-09-15 13:01 . 2010-09-15 13:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\jmc.dll 2010-09-15 13:01 . 2010-09-15 13:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e5a0246-n\msvcr71.dll 2010-09-15 13:01 . 2010-09-15 13:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5bc64b00-n\decora-d3d.dll 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0 2010-09-12 15:32 . 2010-09-12 15:32 -------- d-----w- c:\documents and settings\Owner\.thumbnails 2010-09-09 20:20 . 2010-09-09 20:20 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-09 20:20 . 2010-09-09 20:20 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org 2010-09-09 19:12 . 2010-09-09 19:12 -------- d-----w- c:\program files\JRE 2010-09-09 19:11 . 2010-09-09 19:12 -------- d-----w- c:\program files\OpenOffice.org 3 2010-09-09 19:11 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-09 15:50 . 2010-09-12 15:36 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6 2010-09-09 15:42 . 2010-09-09 15:42 -------- d-----w- c:\program files\GIMP-2.0 2010-09-09 14:29 . 2010-09-09 14:29 -------- d-----w- c:\program files\Paint.NET 2010-09-09 14:29 . 2010-09-09 15:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Paint.NET 2010-09-09 12:16 . 2010-09-09 12:16 170904 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJack.dll 2010-09-09 12:16 . 2010-09-09 12:16 10818904 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\setup.exe 2010-09-09 12:16 . 2010-09-09 12:16 804248 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJackLoader.exe 2010-09-09 12:15 . 2010-09-09 12:15 83352 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\octvqem_apiw.dll 2010-09-09 12:15 . 2010-09-09 12:15 206232 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\AECOctasic4.dll 2010-09-09 12:15 . 2010-09-09 12:15 734616 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\AECOctasic2.dll 2010-09-09 12:15 . 2010-09-09 12:15 202136 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\AECOctasic1.dll 2010-09-09 12:15 . 2010-09-09 12:15 480680 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\octvqe1_apiw.dll 2010-09-09 12:15 . 2010-09-09 12:15 214432 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\TjVista.dll 2010-09-09 12:15 . 2010-09-09 12:15 325024 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\TjIpSys.dll 2010-09-09 12:15 . 2010-09-09 12:15 632240 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\SJHandsetMagicJack.dll 2010-09-09 12:14 . 2010-09-09 12:14 170904 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJack.dll 2010-09-09 12:14 . 2010-09-09 12:14 170904 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.dll 2010-09-09 12:10 . 2010-09-09 12:10 170904 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\lr00000\magicJack.dll 2010-09-09 12:09 . 2010-09-09 12:09 22156688 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJack.exe 2010-09-09 12:09 . 2010-09-09 12:09 50592 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2 .exe 2010-09-09 12:09 . 2010-09-09 12:09 840200 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\install.exe 2010-09-09 12:09 . 2010-09-09 12:09 170904 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJack.dll 2010-09-09 12:08 . 2010-09-09 12:08 103840 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\mjsetup.exe 2010-09-09 12:08 . 2010-09-09 12:08 103840 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\mjsetup.exe 2010-09-09 12:08 . 2010-09-09 12:08 442800 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\ug00000\magicJackSplash.exe 2010-09-09 12:08 . 2010-09-09 12:08 442800 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\st00000\magicJackSplash.exe 2010-09-09 12:08 . 2010-09-09 12:08 442800 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\magicJackSplash.exe 2010-09-09 12:08 . 2010-09-09 12:08 442800 ----a-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\magicJackSplash.exe 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\Common Files\IKE Software 2010-09-08 12:00 . 2010-09-08 12:00 -------- d-----w- c:\program files\IKE Software 2010-09-07 13:17 . 2010-09-07 13:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-01 18:33 . 2010-06-04 12:52 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp 2010-10-01 16:04 . 2005-11-23 01:15 -------- d-----w- c:\program files\QuickTime 2010-09-30 17:44 . 2004-08-26 16:12 94212 ----a-w- c:\windows\system32\rundll32.exe 2010-09-29 14:09 . 2009-12-29 21:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-28 14:02 . 2010-09-28 14:01 1595492 ----a-w- c:\windows\Internet Logs\tvDebug.Zip 2010-09-26 14:26 . 2006-01-27 15:00 222296 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-21 14:00 . 2005-11-23 01:08 -------- d-----w- c:\program files\Google 2010-09-15 13:28 . 2008-06-17 17:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Common Files\Java 2010-09-15 13:04 . 2005-11-23 01:10 -------- d-----w- c:\program files\Java 2010-08-24 21:07 . 2010-08-24 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\magicJack 2010-08-17 13:17 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-02 21:04 . 2010-08-02 21:03 21706717 ----a-w- c:\windows\Internet Logs\vsmon_on_demand_2010_08_02_14_28_05_full.dmp.zip 2010-07-22 15:49 . 2004-08-26 16:12 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-11-04 18:11 5120 ----a-w- c:\windows\system32\xpsp4res.dll . <pre> c:\program files\AVG\AVG8\avgtray .exe c:\program files\Common Files\Java\Java Update\jusched .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\Scansoft\PaperPort\IndexSearch .exe c:\program files\Scansoft\PaperPort\pptd40nt .exe c:\windows\system32\rundll32 .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-06 14:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SmartUI.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SmartUI.lnk backup=c:\windows\pss\SmartUI.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] c:\program files\QuickTime\qttask .exe -atboottime [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY] c:\progra~1\AVG\AVG8\avgtray.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp] c:\progra~1\McAfee.com\Shared\mcappins.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch] c:\program files\Scansoft\PaperPort\IndexSearch.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe] c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE] c:\progra~1\mcafee\SPAMKI~1\mskagent.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2005-09-18 16:32 7204864 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2005-09-18 16:32 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-09-18 16:32 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] c:\program files\McAfee.com\VSO\oasclnt.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD] c:\program files\Scansoft\PaperPort\pptd40nt.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] 2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2005-03-15 17:04 966656 ----a-w- c:\windows\creator\remind_xp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rfofekibehav] 2008-04-14 00:12 198144 ----a-w- c:\windows\utibuvog.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2005-09-26 23:07 90112 ----a-w- c:\windows\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] c:\program files\Common Files\Java\Java Update\jusched.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM] 2004-11-15 23:04 135168 ----a-w- c:\program files\Digital Media Reader\shwiconEM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] c:\program files\McAfee.com\VSO\mcvsshld.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2006-11-21 17:38 35328 ----a-w- c:\program files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2008 11:12 AM 335240] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2008 11:11 AM 297752] R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/18/2007 3:46 PM 53307] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/1/2010 7:52 AM 136176] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/5/2007 11:18 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/5/2007 11:18 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/5/2007 11:18 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/5/2007 11:18 AM 60416] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - GTNDIS5 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 getPlusHelper REG_MULTI_SZ getPlusHelper [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B0B9B83C-BBFC-49F5-93F4-BC388B073320}] c:\documents and settings\Owner\Application Data\Bitrix Security\hwwkat9.dll [N/A] . Contents of the 'Scheduled Tasks' folder 2010-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] 2010-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-01 11:52] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netpv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: fastestdeploy.com Trusted Zone: fastestdeploy.com TCP: {3DE59C59-FDC2-4F37-B00C-58CB922765A3} = 192.168.1.1 TCP: {F8A6B7D6-4685-44F7-BBBC-CD647744A0FD} = 192.168.1.1 DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fm8vhal9.default\ FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF - HiddenExtension: XULRunner: {CBF38F34-5F7F-4CB6-9A2A-216874E5E120} - c:\documents and settings\Owner\Local Settings\Application Data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120} ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-10-01 14:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys PCIIDEX.SYS >>UNKNOWN [0x86AE5C56]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf7754f28 \Driver\ACPI -> ACPI.sys @ 0xf7557cb8 \Driver\atapi -> atapi.sys @ 0xf74f7852 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76 user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(720) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(780) c:\windows\system32\WININET.dll . Completion time: 2010-10-01 14:40:29 ComboFix-quarantined-files.txt 2010-10-01 18:40 Pre-Run: 31,982,612,480 bytes free Post-Run: 34,165,096,448 bytes free - - End Of File - - 47F6A5D43012669F71EE30A5737186D5

Here it is. RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of processors #1 ============================================== >Drivers ============================================== 0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3907584 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 81.33 ) 0xF5778000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 3645440 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM)) 0xF5D2A000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3497984 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.33 ) 0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System) 0x804D7000 PnpManager 2066816 bytes 0x804D7000 RAW 2066816 bytes 0x804D7000 WMIxWDM 2066816 bytes 0xBF800000 Win32k 1855488 bytes 0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0xF5B9A000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver) 0xF5AF2000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver) 0xF73D6000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver) 0xEEE97000 C:\WINDOWS\System32\vsdatant.sys 528384 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver) 0xEEDDA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr) 0xF5639000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver) 0xEEF40000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver) 0xB99A7000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver) 0xEEBAD000 C:\WINDOWS\System32\Drivers\avgldx86.sys 331776 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver) 0xF570A000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 303104 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.) 0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver) 0xB920C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack) 0xB97D7000 C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS 262144 bytes 0xF56D3000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.) 0xF5C99000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver) 0xF7551000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT) 0xB9A76000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr) 0xF73A9000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver) 0xF74AC000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver) 0xB8076000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer) 0xEEE4A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver) 0xEEF18000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver) 0xEEDB4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator) 0xEBCD9000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver) 0xF5754000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices)) 0xF5CF2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver) 0xF5CCF000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library) 0xEEE75000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock) 0xF748C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager) 0xF7521000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver) 0xF738F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver) 0xF74D8000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport) 0xF74F1000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver) 0xEBCC1000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes 0xF7509000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver) 0xF7463000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface) 0xF56A8000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption)) 0xB9BE3000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper) 0xF56BF000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver) 0xF5D16000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver) 0x806D0000 ACPI_HAL 81152 bytes 0x806D0000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL) 0xEEF99000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver) 0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver) 0xF747A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver) 0xF7540000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator) 0xF5697000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler) 0xF732F000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver) 0xF78A0000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver) 0xF78D0000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver) 0xF78C0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter) 0xF78B0000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver) 0xF7700000 SMPLSCSI.SYS 61440 bytes (OnSpec Electronic, Inc., OnSpec SCSI Miniport Driver) 0xF6B6F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter) 0xF40EC000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB) 0xF76E0000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport) 0xF76B0000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport) 0xF7750000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll) 0xF78E0000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver) 0xF78F0000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver) 0xF76A0000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver) 0xF7730000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters) 0xF7720000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters) 0xF736F000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol) 0xF7790000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter) 0xF77C0000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter) 0xF77A0000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter) 0xF77B0000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter) 0xF407C000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver) 0xF6B3F000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver) 0xF7690000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager) 0xF737F000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver) 0xF7780000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter) 0xF7680000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver) 0xF40FC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy) 0xF7710000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters) 0xF76D0000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters) 0xF7770000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter) 0xF734F000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver) 0xF7740000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver) 0xEDD9D000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library) 0xF735F000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier) 0xF409C000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver) 0xB9987000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver) 0xF40CC000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.) 0xF6B4F000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver) 0xF7760000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP) 0xF76C0000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters) 0xF76F0000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver) 0xF3203000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver) 0xF79A0000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver) 0xF3F2A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver) 0xF7930000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver) 0xF7940000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver) 0xF7998000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver) 0xF7918000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver) 0xF3F42000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library) 0xF7968000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver) 0xF7900000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension) 0xF7960000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver) 0xEE145000 C:\WINDOWS\System32\Drivers\sunkfilt.sys 28672 bytes (Alcor Micro Corp., SunkFilt) 0xF7938000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver) 0xEE13D000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver) 0xF7948000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver) 0xF7950000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver) 0xF33FA000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver) 0xF79A8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver) 0xF79C8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver) 0xF3F3A000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver) 0xF7958000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport) 0xF7928000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver) 0xF7920000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32) 0xF3F32000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver) 0xF7908000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager) 0xF79B8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library) 0xF79C0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver) 0xF7910000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport) 0xF79B0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper) 0xF7A88000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver) 0xF79F8000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver) 0xEDA40000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver) 0xF7A9C000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport) 0xF7AAC000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver) 0xF7AB4000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver) 0xF7A98000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver) 0xF7AA4000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver) 0xB9537000 C:\WINDOWS\system32\GTNDIS5.SYS 16384 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 Protocol Driver) 0xF7AB0000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport) 0xF72BB000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver) 0xEE230000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver) 0xF7B78000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.) 0xF7B7C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator) 0xF7AA0000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver) 0xF7AA8000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller) 0xB9C00000 C:\WINDOWS\System32\Drivers\ASPI32.SYS 12288 bytes (Adaptec, ASPI for WIN32 Kernel Driver) 0xF7A94000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver) 0xEDA50000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver) 0xF7B54000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices) 0xF5631000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter) 0xB9A6A000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER) 0xF5635000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xF72CB000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver) 0xF5619000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver) 0xF7B82000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver) 0xF7B98000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager) 0xF7BF8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver) 0xF7B8C000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport) 0xF7B84000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver) 0xF7C2A000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes 0xF7BF6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver) 0xF7B8A000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver) 0xF7BFA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator) 0xF7B8E000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver) 0xF7BFC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport) 0xF7BA8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator) 0xF7B86000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller) 0xF7BEE000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver) 0xF7B88000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) 0xF7B80000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll) 0x86B52000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL) 0xF7DC7000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver) 0xF7D87000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp)) 0xF7DA0000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp)) 0xED850000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk) 0xF7DA1000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver) 0xF7C48000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) !!!!!!!!!!!Hidden driver: 0x86B5BA9F ?_empty_? 1377 bytes ============================================== >Stealth ============================================== 0xF74F1000 WARNING: suspicious driver modification [atapi.sys::0x86B5BA9F] ============================================== >Files ============================================== !-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\7CIFDBNO\252C+%252526+DVDs%25255EVideo+%252526+DVD+Sales+%252526+Rental%25255E%2526RC%253D1%2526CTS%253DVideo+%252526+DVD+Sales+%252526+Rental%2526MCBP%253Dtrue[1]1] !-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UB9KSCGJ\2Fyellowpages.superpages.com%252Flistings[1].jsp%253FSRC%253Dyellowcom%2526C%253DMovie%2526STYPE%253DS%2526L%253DMelbourne+FL%2526F%253D1%2526MCBP%253Dtruef !-->[Hidden] C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1004\A0082210.RDB !-->[Hidden] C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1004\A0082211.RDB !-->[Hidden] C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1004\A0082212.RDB !-->[Hidden] C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1004\A0082213.RDB !-->[Hidden] C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1004\A0082214.RDB ============================================== >Hooks ============================================== ntkrnlpa.exe+0x0002AC38, Type: Inline - RelativeJump 0x80501C38-->80501C2E [ntkrnlpa.exe] ntkrnlpa.exe+0x0002AD8C, Type: Inline - RelativeJump 0x80501D8C-->80501D82 [ntkrnlpa.exe] ntkrnlpa.exe+0x0002AF04, Type: Inline - RelativeJump 0x80501F04-->80501EFA [ntkrnlpa.exe] ntkrnlpa.exe+0x0002AF3C, Type: Inline - RelativeJump 0x80501F3C-->80501F32 [ntkrnlpa.exe] ntkrnlpa.exe+0x0006AA9A, Type: Inline - RelativeJump 0x80541A9A-->80541AA1 [ntkrnlpa.exe] tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xEEF7F428-->EEEBDCBA [vsdatant.sys] tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xEEF7F454-->EEEBD4C8 [vsdatant.sys] tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xEEF7F460-->EEEBD672 [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF3208B4C-->EEEBDCBA [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF3208B1C-->EEEBBC2A [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF3208B3C-->EEEBD4C8 [vsdatant.sys] wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF3208B28-->EEEBD672 [vsdatant.sys] [1116]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page] [1116]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page] [1116]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page] [1116]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page] [1116]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page] [1116]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page] [1116]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page] [1556]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll] [1556]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll] [1556]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll] [1556]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page] [1556]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page] [1556]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page] [1556]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page] [1556]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page] [1556]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page] [1556]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll] [1556]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll] [2884]firefox.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page] [2884]firefox.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page] [2884]firefox.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page] [2884]firefox.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page] [2884]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3-->00000000 [firefox.exe] [2884]firefox.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page] [2884]firefox.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

RKUnhooked won't run. Error = Error Loading/opening driver I'm in safe mode as owner... not administrator. Does that matter? dds.scr below & attached as instructed. Thanks for the help. ==== DDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by Owner at 12:33:50.71 on Thu 09/30/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.303 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\Security\dds.scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://www.google.com/ie uStart Page = hxxp://www.netpv.com/ uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/ uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: Easy-WebPrint: {03c1c47f-0538-4645-8372-d3109b9fc636} - c:\program files\canon\easy-webprint\Toolband.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0 uRun: [cdloader] "c:\documents and settings\owner\application data\mjusbsp\cdloader2.exe" MAGICJACK mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [Rfofekibehav] rundll32.exe "c:\windows\utibuvog.dll",Startup StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartui.lnk - c:\program files\scansoft\paperport\smartui\SmartUI.exe uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: EnableLUA = 0 (0x0) dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) dPolicies-system: DisableTaskMgr = 1 (0x1) IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: fastestdeploy.com Trusted Zone: fastestdeploy.com DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {3DE59C59-FDC2-4F37-B00C-58CB922765A3} = 192.168.1.1 TCP: {F8A6B7D6-4685-44F7-BBBC-CD647744A0FD} = 192.168.1.1 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll mASetup: {B0B9B83C-BBFC-49F5-93F4-BC388B073320} - rundll32.exe "c:\documents and settings\owner\application data\bitrix security\hwwkat9.dll", DllUnrer ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\fm8vhal9.default\ FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npPxPlay.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: XULRunner: {CBF38F34-5F7F-4CB6-9A2A-216874E5E120} - c:\documents and settings\owner\local settings\application data\{CBF38F34-5F7F-4CB6-9A2A-216874E5E120} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-9-15 532224] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 335240] S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-17 27784] S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-17 297752] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-1 136176] S2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\compact wireless-g usb network adapter with speedbooster\WLService.exe [2007-3-18 53307] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-12-5 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-12-5 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-12-5 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-12-5 60416] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\google\google desktop search\googledesktop.exe" --> c:\program files\google\google desktop search\GoogleDesktop.exe [?] =============== Created Last 30 ================ 2010-09-29 23:37:53 0 d-----w- c:\program files\Trend Micro 2010-09-29 23:07:44 0 d-----w- c:\program files\CCleaner 2010-09-28 22:36:35 0 ----a-w- c:\windows\system32\19169.exe 2010-09-28 22:16:35 0 ----a-w- c:\windows\system32\26500.exe 2010-09-28 21:56:35 0 ----a-w- c:\windows\system32\6334.exe 2010-09-28 21:36:35 0 ----a-w- c:\windows\system32\18467.exe 2010-09-28 21:01:05 0 ----a-w- c:\windows\system32\ES17.exe 2010-09-28 20:20:57 120 ----a-w- c:\windows\Uxovokelodas.dat 2010-09-28 20:20:57 0 ----a-w- c:\windows\Gpiwohewazuc.bin 2010-09-28 20:19:23 141 ----a-w- c:\docume~1\owner\applic~1\jsdfgs.bat 2010-09-28 20:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Update 2010-09-28 20:19:06 0 d-----w- c:\docume~1\owner\applic~1\Bitrix Security 2010-09-28 16:06:36 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-23 20:10:45 0 d-----w- c:\documents and settings\owner\workspace 2010-09-15 13:27:06 1238528 ----a-w- c:\windows\system32\zpeng25.dll 2010-09-15 13:27:05 0 d-----w- c:\windows\system32\ZoneLabs 2010-09-15 13:27:03 420800 ----a-w- c:\windows\system32\vsconfig.xml 2010-09-15 13:27:00 0 d-----w- c:\program files\Zone Labs 2010-09-12 15:33:14 854 ----a-w- c:\documents and settings\owner\.recently-used.xbel 2010-09-12 15:32:51 706222 ----a-w- c:\documents and settings\owner\Layers Test.xcf 2010-09-12 15:32:51 0 d-----w- c:\documents and settings\owner\.thumbnails 2010-09-09 20:20:06 0 d-----w- c:\docume~1\owner\applic~1\OpenOffice.org 2010-09-09 19:12:10 0 d-----w- c:\program files\JRE 2010-09-09 19:11:44 0 d-----w- c:\program files\OpenOffice.org 3 2010-09-09 19:11:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-09 19:11:18 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-09 15:50:35 0 d-----w- c:\documents and settings\owner\.gimp-2.6 2010-09-09 15:42:20 0 d-----w- c:\program files\GIMP-2.0 2010-09-09 14:29:18 0 d-----w- c:\program files\Paint.NET 2010-09-08 12:00:09 0 d-----w- c:\program files\IKE Software 2010-09-08 12:00:09 0 d-----w- c:\program files\common files\IKE Software ==================== Find3M ==================== 2010-09-15 13:28:06 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2008-10-03 16:03:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100320081004\index.dat ============= FINISH: 12:34:54.73 =============== Attach.txt

"Infected" popups & redirection from IE 8. Thanks for any help! HJT log below... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:06:46 PM, on 9/30/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netpv.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Rfofekibehav] rundll32.exe "C:\WINDOWS\utibuvog.dll",Startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: SmartUI.lnk = ? O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://*.fastestdeploy.com O15 - Trusted Zone: http://*.fastestdeploy.com (HKLM) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - http://dl.google.com/dl/desktop/nv/GoogleG...PluginIEWin.cab O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3DE59C59-FDC2-4F37-B00C-58CB922765A3}: NameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{F8A6B7D6-4685-44F7-BBBC-CD647744A0FD}: NameServer = 192.168.1.1 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing) O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe -- End of file - 6278 bytes

Anybody know if this is a false positive? It was never there before... so I conclude that my XP-Pro laptop was just infected with it. And... if it is NOT a false-positive... then I still do not know if it is safe to let Malware bytes "remove" it and the two registry entries. Thanks for any help on what I should do next.

- If this no the correct forum please advise and I will repost - thanks The Problem: - I updated Malwarebytes on my XP Pro Toshiba laptop last night and ran it. - This morning it reports Trojan Vundo in... C:\Windows\System32\psqlpdw.dll HKey_LocalMachine\software\microsoft\windows\CurrentVersion\SharedDLL\Windows\System32\psqlpwd.dll Value c:\windows\system32\psqlpwd.dll HKey_LocalMachine\software\microsoft\windows NT\Current Version\Winlogon\Notify\psfus Apparently this has to do with the fingerpring device on my Toshiba Tecra laptop (Fingerprint Potector Suite Check) and Googling it I find at least one place that tells me not to remove it. The Question: - How do I get rid of this Malware without having to reinstall the system. I really appriceate any help. Thanks.

Thanks !!! I see it is working fine now.

Running XP on a small peer-to-peer home network. I Google a search term and this appears under each site found... WARNING: Visiting this site may harm your computer It has showed up on two of my peer to peer PC's. (Havent' checked the others yet) I'm running Malwarebytes with latest updates on one. I'm running AVG with latest updates on the other. What is this? Will Malwarebytes fix it via a regular scan or what must I do to get it fixed. Thanks for any help. PS - I'm posting this from another PC via a Wireless Aircard... and do not see the problem on this PC. PS - If I have posted this in the wrong forum please let me know and I will move it. Thanks.

===== Start of reply to Tigger93 ===== Tigger93, Thanks for the help. I followed your instructions. The two logs follow. First the Combofix log... then the HijackThis Log. - I see in the Combofix log that it replaced the flagged (infected) file c:\windows\system32\userinit. - I do not see where the two associated register enteries flagged originally by Malwarebytes were fixed... if they really need fixing... (and it may have fixed them and I missed it.) - I look forward to your follow-up advice. (Should I run Malwarebytes again? Should I do what?) I can't thank you enough for your kind assistance. You guys really supply a service here !!! Thanks again. ===== Combofix Log Starts ===== ComboFix 09-01-21.04 - Will 2009-01-27 6:37:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1304 [GMT -5:00] Running from: c:\documents and settings\Will\My Documents\Downloads\HiJack This\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) FW: ZoneAlarm Firewall *enabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\biologon.dll c:\windows\system32\test.ttt c:\windows\system32\win32hlp.cnf Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 ))))))))))))))))))))))))))))))) . 2009-01-26 18:36 . 2009-01-26 18:36 <DIR> d-------- c:\program files\Trend Micro 2009-01-26 11:28 . 2009-01-26 11:28 <DIR> d-------- c:\program files\Belarc 2009-01-26 11:28 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys 2009-01-23 09:34 . 2009-01-23 09:35 <DIR> d-------- c:\program files\Inspiration 7.5 2009-01-23 09:34 . 2009-01-23 09:34 <DIR> d-------- c:\documents and settings\Will\Application Data\Inspiration Software 2009-01-23 09:34 . 1999-12-17 11:13 86,016 --a------ c:\windows\unvise32.exe 2009-01-23 09:30 . 2009-01-23 09:30 <DIR> d-------- c:\windows\speech 2009-01-14 19:34 . 2009-01-14 19:34 <DIR> d-------- c:\documents and settings\Will\Application Data\Malwarebytes 2009-01-14 19:30 . 2009-01-14 19:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-14 19:30 . 2009-01-14 19:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-14 19:30 . 2009-01-14 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-01-14 19:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 19:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-09 08:38 . 2009-01-09 08:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Musicnotes 2009-01-08 07:45 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll 2009-01-07 19:51 . 2009-01-07 20:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2009-01-07 19:51 . 2009-01-07 19:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-02 22:38 . 2009-01-02 22:38 <DIR> d-------- c:\documents and settings\Will\Application Data\Apple Computer 2009-01-02 22:37 . 2009-01-02 22:38 <DIR> d-------- c:\program files\iTunes 2009-01-02 22:37 . 2009-01-02 22:37 <DIR> d-------- c:\program files\iPod 2009-01-02 22:37 . 2009-01-02 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-02 22:36 . 2009-01-02 22:36 <DIR> d-------- c:\program files\Apple Software Update 2009-01-02 22:36 . 2009-01-02 22:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2009-01-02 22:35 . 2009-01-02 22:37 <DIR> d-------- c:\program files\Common Files\Apple 2009-01-02 22:35 . 2009-01-02 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-11 15:48 --------- d-----w c:\program files\NoteTab Light 2009-01-05 04:34 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-01-03 03:37 --------- d-----w c:\program files\Bonjour 2009-01-03 03:36 --------- d-----w c:\program files\QuickTime 2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys 2008-12-11 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-28 00:10 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-28 00:10 --------- d-----w c:\program files\Xara 2008-11-27 23:58 --------- d-----w c:\documents and settings\Will\Application Data\MAGIX 2008-11-27 23:58 --------- d-----w c:\documents and settings\All Users\Application Data\MAGIX 2008-11-27 23:55 --------- d-----w c:\program files\WMV9_VCM 2008-11-27 23:55 --------- d-----w c:\program files\Magix 2008-11-27 23:54 --------- d-----w c:\program files\Common Files\xara 2008-11-27 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\Xara 2008-01-10 20:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat 2008-08-27 16:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ThpSrv"="c:\windows\system32\thpsrv" [X] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008] "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552] "TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608] "00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 15:14 258048] "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-13 311296] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-10 1862144] "TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-26 90112] "TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976] "TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152] "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 159744] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-25 136816] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-29 1261336] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904] "RTHDCPL"="RTHDCPL.EXE" [2007-03-12 c:\windows\RTHDCPL.exe] "TFNF5"="TFNF5.exe" [2006-04-10 c:\windows\system32\TFNF5.exe] "000StTHK"="000StTHK.exe" [2001-06-23 07:28 24576 c:\windows\system32\000StTHK.exe] "NDSTray.exe"="NDSTray.exe" [bU] "TFncKy"="TFncKy.exe" [bU] "TOSDCR"="TOSDCR.EXE" [2005-12-13 c:\windows\system32\TOSDCR.exe] "TPSODDCtl"="TPSODDCtl.exe" [2007-02-02 c:\windows\system32\TPSODDCtl.exe] "TPSMain"="TPSMain.exe" [2006-07-26 c:\windows\system32\TPSMain.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-10-20 171448] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2006-05-05 19:48 40448 c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-04-27 21120] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-03-09 6528] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-11 97928] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2008-01-10 5888] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-01-10 36608] R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2008-06-03 435072] R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-11 231704] R4 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2006-05-05 13568] R4 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2006-05-05 33024] R4 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2006-05-05 3456] R4 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-03-26 105856] R4 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2008-01-10 126976] R4 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-02-19 134016] . Contents of the 'Scheduled Tasks' folder 2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-msiexec.exe - msiconf.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.netpv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: networksolutions.com\www DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://www.brevardpropertyappraiser.com/picto/include/PictImageCtrl30.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-27 06:41:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(964) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll c:\program files\Protector Suite QL\homepass.dll c:\program files\Protector Suite QL\bio.dll c:\program files\Protector Suite QL\remote.dll c:\program files\Protector Suite QL\mysafe.dll c:\program files\Protector Suite QL\crypto.dll - - - - - - - > 'lsass.exe'(1020) c:\windows\system32\psqlpwd.dll c:\program files\Protector Suite QL\infra.dll c:\program files\Protector Suite QL\homefus2.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\ZoneLabs\vsmon.exe c:\windows\system32\scardsvr.exe c:\windows\system32\agrsmsvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Toshiba\ConfigFree\CFSvcs.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\igfxsrvc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\system32\igfxext.exe c:\toshiba\IVP\swupdate\swupdtmr.exe c:\windows\system32\ThpSrv.exe c:\program files\Protector Suite QL\psqltray.exe c:\windows\system32\TODDSrv.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\wdfmgr.exe c:\program files\Toshiba\ConfigFree\NDSTray.exe c:\program files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe c:\windows\system32\ThpSrv.exe c:\program files\Toshiba\TME3\TMEEJME.exe c:\program files\Apoint2K\ApntEx.exe c:\windows\system32\TPSBattM.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2009-01-27 6:44:46 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-27 11:44:43 Pre-Run: 131,859,759,104 bytes free Post-Run: 132,176,936,960 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 231 --- E O F --- 2009-01-15 02:23:06 ===== Combofix Log end ===== ===== HijackThis Log start ===== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:47:24 AM, on 1/27/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\TFNF5.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\igfxsrvc.exe C:\TOSHIBA\IVP\ISM\pinger.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\igfxext.exe c:\TOSHIBA\IVP\swupdate\swupdtmr.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\Protector Suite QL\psqltray.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\system32\00THotkey.exe C:\WINDOWS\system32\TODDSrv.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netpv.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} (Pictometry Viewer Control) - http://www.brevardpropertyappraiser.com/pi...ImageCtrl30.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 11610 bytes ===== HijackThis Log End =====

- I'm reposting this here as instructed. Thanks for ANY help !!! - I'm running XP-Pro and latest Malwarebytes with latest updates - I read the instructions at "I'm infected. What do I do now?" - Malwarebytes reported... ===== Start Report ===== Multiple threat dection Infection list: 1 File name: c:\windows\system32\userinit.ece Threat name: Trojan horse Downloader.Agent.ATHF Detected on open 2 File name: c:\windows\system32\userinit.ece Threat name: Trojan horse Downloader.Agent.ATHF Detected on open Details: 1 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe Process ID: 4476 2 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe Process ID: 2304 ===== End Report ===== - I chose "Ignore" (because I had read somewhere else that "removing" userinit.exe would prevent you from logging on later) - Then Malwarebytes reported the scan was complete and showed two registery errors - (BUT no file errors... which seems to confilct with the report above) - Should I have chose "Remove threat as Power User" or was it correct to choose "Ignore" Here is the log: ===== Log start ===== Malwarebytes' Anti-Malware 1.33 Database version: 1687 Windows 5.1.2600 Service Pack 3 1/26/2009 10:11:44 AM mbam-log-2009-01-26 (10-11-36).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 167717 Time elapsed: 47 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ===== Log end ===== - Should I chose "Remove Selected" for the two registry keys shown above? - How can I get this Trojan of this machine? I read fixing the file userinit.exe is difficult and risky. Some say run sfc.exe /scannow with original xp-pro cd in machine... but this Toshiba laptop only comes with an "image" and Toshiba told me it will only restore the entire system... so I lose data dna have to reinstall all app's. - End of my original post - Finally... Moderator Form Diety replyed to my original post (that was in the wrong forum... sorry) "MBAM should not remove it, but don't tell it to just in case. We'll use Combofix to try and repair it." - I don't know what Combofix is... so thanks again for any help !!!

- If this is not the correct forum for this please direct me and I will repost - thanks - I'm running XP-Pro and latest Malwarebytes with latest updates - I read the instructions at "I'm infected. What do I do now?" - Malwarebytes reported... ===== Start Report ===== Multiple threat dection Infection list: 1 File name: c:\windows\system32\userinit.ece Threat name: Trojan horse Downloader.Agent.ATHF Detected on open 2 File name: c:\windows\system32\userinit.ece Threat name: Trojan horse Downloader.Agent.ATHF Detected on open Details: 1 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe Process ID: 4476 2 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe Process ID: 2304 ===== End Report ===== - I chose "Ignore" (because I had read somewhere else that "removing" userinit.exe would prevent you from logging on later) - Then Malwarebytes reported the scan was complete and showed two registery errors - (BUT no file errors... which seems to confilct with the report above) - Should I have chose "Remove threat as Power User" or was it correct to choose "Ignore" Here is the log: ===== Log start ===== Malwarebytes' Anti-Malware 1.33 Database version: 1687 Windows 5.1.2600 Service Pack 3 1/26/2009 10:11:44 AM mbam-log-2009-01-26 (10-11-36).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 167717 Time elapsed: 47 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ===== Log end ===== - Should I chose "Remove Selected" for the two registry keys shown above? - How can I get this Trojan of this machine? I read fixing the file userinit.exe is difficult and risky. Some say run sfc.exe /scannow with original xp-pro cd in machine... but this Toshiba laptop only comes with an "image" and Toshiba told me it will only restore the entire system... so I lose data dna have to reinstall all app's. Thanks for any help on this.