Jump to content

jsears

Members
  • Posts

    9
  • Joined

  • Last visited

Everything posted by jsears

  1. Did some web surfing and everything seems to be operating correctly. To finish this off, should I : 1) Purchase Malwarebytes? 2) Remove my other antivirus software 3) and remove all of the additional programs downloaded to fix this particular issue (combofix, DDS, etc)? Thank you very much for your time and assistance. Please let me know what I can do to make sure your efforts are rewarded
  2. SECURITY CHECK Results of screen317's Security Check version 0.99.10 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! Avira AntiVir Personal - Free Antivirus ESET Online Scanner v3 McAfee Security Scan Plus Avira successfully updated! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 24 Adobe Flash Player 10.2.159.1 Adobe Reader X (10.0.1) Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe ESET ESET Online Scanner OnlineCmdLineScanner.exe ``````````End of Log```````````` It's late and I can't thoroughly test teh computer now to make sure it is clean. I'll check back tomorrow with any further problems. Thank you for your assistance.
  3. COMBOFIX ComboFix 11-04-27.02 - User 04/27/2011 23:41:21.3.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2365 [GMT -4:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_19478F6C -------\Legacy_NORMANDY -------\Service_19478F6C -------\Service_Normandy . . ((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 ))))))))))))))))))))))))))))))) . . 2011-04-24 21:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-04-24 21:01 . 2011-03-18 17:53 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe 2011-04-24 21:01 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-04-24 21:01 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-04-24 21:01 . 2011-03-18 17:53 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll 2011-04-24 21:01 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-04-24 21:01 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-04-24 21:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-04-24 21:01 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-04-24 21:01 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\program files\McAfee Security Scan 2011-04-24 20:48 . 2011-03-01 13:57 32592 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\program files\NOS 2011-04-24 20:41 . 2011-04-24 20:41 -------- d-----w- c:\program files\Common Files\Java 2011-04-24 19:26 . 2011-04-24 19:26 -------- d-----w- c:\program files\ESET 2011-04-24 05:00 . 2011-04-24 05:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira 2011-04-24 02:46 . 2011-04-24 02:46 -------- d-----w- c:\documents and settings\User\Application Data\Avira 2011-04-23 03:13 . 2011-04-23 03:13 -------- d-----w- c:\program files\Avira 2011-04-23 03:13 . 2011-04-23 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-23 03:13 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-23 03:13 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-23 03:13 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-23 03:13 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-23 00:14 . 2011-04-24 12:40 -------- d-----w- C:\TDSSKiller_Quarantine . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2006-08-23 23:22 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:32 . 2009-04-15 09:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40 . 2010-11-01 19:36 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19 . 2010-11-01 19:36 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2006-08-23 23:20 2067456 ----a-w- c:\windows\system32\mstscax.dll 2010-11-05 06:12 . 2010-11-06 18:12 44 ---h--w- c:\program files\3e61728d.tmp 2010-09-15 01:02 . 2010-09-15 01:02 1910144 ----a-w- c:\program files\lotrohigh.exe 2009-04-03 20:53 . 2009-04-03 20:25 140066664 ----a-w- c:\program files\wlsetup-all.exe 2009-04-03 20:23 . 2009-04-03 20:23 1144168 ----a-w- c:\program files\wlsetup-custom.exe 2004-10-01 19:00 . 2006-08-23 23:45 40960 ----a-w- c:\program files\Uninstall_CDS.exe 2011-03-18 17:53 . 2011-04-24 21:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-07 39408] "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-15 2969496] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkyTel"="SkyTel.EXE" [2007-04-04 1822720] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-14 1397760] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-15 557056] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208] "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-07 68592] "SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376] "CPU Thermometer"="c:\program files\CPU Thermometer\CPUThermometer.exe" [2009-04-13 766976] "ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-06-10 1092896] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304] "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "56549:TCP"= 56549:TCP:Pando Media Booster "56549:UDP"= 56549:UDP:Pando Media Booster "3389:TCP"= 3389:TCP:Remote Desktop "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services . R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/22/2011 11:13 PM 135336] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/22/2008 6:53 PM 24652] R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/26/2010 3:20 PM 74752] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1/22/2006 6:37 PM 35840] R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [5/26/2010 3:21 PM 6144] R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232] S3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [8/23/2009 4:06 PM 11136] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 8:00 AM 14336] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2011-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . 2011-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-179605362-839522115-1004Core.job - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-23 20:58] . 2011-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-179605362-839522115-1004UA.job - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-23 20:58] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qv3yeq1h.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - user.js: yahoo.homepage.dontask - true . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-27 23:48 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . . c:\windows\TEMP\Perflib_Perfdata_810.dat 16384 bytes . scan completed successfully hidden files: 1 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(740) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . - - - - - - - > 'explorer.exe'(2784) c:\windows\system32\WININET.dll c:\documents and settings\All Users\Application Data\ACTIV Software\ActivApplications\ActivFocusHook.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Ahead\InCD\InCDsrv.exe c:\windows\system32\Ati2evxx.exe c:\windows\RTHDCPL.EXE c:\program files\Activ Software\ActivDriver\activmgr.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\Avira\AntiVir Desktop\avshadow.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-04-27 23:54:37 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-28 03:54 ComboFix2.txt 2011-04-27 13:42 . Pre-Run: 327,689,220,096 bytes free Post-Run: 327,577,853,952 bytes free . - - End Of File - - 0F34CD55B42CAD71F20CCBB3C548F6F4 DDS . DDS (Ver_11-03-05.01) - NTFSx86 Run by User at 23:55:56.96 on Wed 04/27/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2344 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\CPU Thermometer\CPUThermometer.exe C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Pando Networks\Media Booster\PMB.exe C:\Program Files\Activ Software\ActivDriver\activmgr.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\User\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [skyTel] SkyTel.EXE mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe" mRun: [inCD] c:\program files\ahead\incd\InCD.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun mRun: [steelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [CPU Thermometer] "c:\program files\cpu thermometer\CPUThermometer.exe" -s mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\qv3yeq1h.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\nos\bin\np_gp.dll FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-22 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-22 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-22 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-22 61960] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-22 24652] R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2006-1-22 35840] R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144] R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-8-23 11136] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] . =============== Created Last 30 ================ . 2011-04-27 13:16:24 -------- d-sha-r- C:\cmdcons 2011-04-27 13:12:38 98816 ----a-w- c:\windows\sed.exe 2011-04-27 13:12:38 89088 ----a-w- c:\windows\MBR.exe 2011-04-27 13:12:38 256512 ----a-w- c:\windows\PEV.exe 2011-04-27 13:12:38 161792 ----a-w- c:\windows\SWREG.exe 2011-04-24 21:01:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-04-24 21:01:28 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-04-24 21:01:28 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-04-24 21:01:28 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll 2011-04-24 21:01:28 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll 2011-04-24 21:01:28 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-04-24 21:01:28 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-04-24 21:01:28 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe 2011-04-24 21:01:28 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-04-24 21:01:28 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-04-24 20:48:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan 2011-04-24 20:48:11 -------- d-----w- c:\program files\McAfee Security Scan 2011-04-24 20:48:06 32592 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll 2011-04-24 19:26:19 -------- d-----w- c:\program files\ESET 2011-04-24 02:46:02 -------- d-----w- c:\docume~1\user\applic~1\Avira 2011-04-23 03:13:41 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-23 03:13:41 -------- d-----w- c:\program files\Avira 2011-04-23 03:13:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-23 00:14:58 -------- d-----w- C:\TDSSKiller_Quarantine . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2010-11-05 06:12:14 44 ---h--w- c:\program files\3e61728d.tmp 2010-09-15 01:02:37 1910144 ----a-w- c:\program files\lotrohigh.exe 2009-04-03 20:53:28 140066664 ----a-w- c:\program files\wlsetup-all.exe 2009-04-03 20:23:50 1144168 ----a-w- c:\program files\wlsetup-custom.exe 2004-10-01 19:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe . ============= FINISH: 23:56:08.70 =============== ESET ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=ced0fb5e284f5b40a9dfabea27604983 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-04-24 08:31:08 # local_time=2011-04-24 04:31:08 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 16775141 100 93 0 39270264 0 0 # compatibility_mode=2817 16777215 100 100 57876152 57977905 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=280872 # found=2 # cleaned=2 # scan_time=3755 C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\51\5a213bb3-5adec671 a variant of Win32/Injector.FXP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\User\Local Settings\Application Data\ukp.exe a variant of Win32/Injector.FXP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6427 # api_version=3.0.2 # EOSSerial=ced0fb5e284f5b40a9dfabea27604983 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-04-28 04:59:19 # local_time=2011-04-28 12:59:19 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 16775141 100 93 0 39560025 16986 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=212018 # found=1 # cleaned=1 # scan_time=3685 C:\System Volume Information\_restore{F95C52C5-A834-4A04-AC28-FB1EC4C0C803}\RP881\A0068636.exe a variant of Win32/Injector.FXP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  4. Thank you! Here are the new logs. ComboFix: ComboFix 11-04-26.03 - User 04/27/2011 9:31.2.4 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2390 [GMT -4:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\User\GoToAssistDownloadHelper.exe . . ((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 ))))))))))))))))))))))))))))))) . . 2011-04-24 21:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll 2011-04-24 21:01 . 2011-03-18 17:53 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe 2011-04-24 21:01 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll 2011-04-24 21:01 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll 2011-04-24 21:01 . 2011-03-18 17:53 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll 2011-04-24 21:01 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll 2011-04-24 21:01 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll 2011-04-24 21:01 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll 2011-04-24 21:01 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll 2011-04-24 21:01 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\program files\McAfee Security Scan 2011-04-24 20:48 . 2011-03-01 13:57 32592 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll 2011-04-24 20:48 . 2011-04-24 20:48 -------- d-----w- c:\program files\NOS 2011-04-24 20:41 . 2011-04-24 20:41 -------- d-----w- c:\program files\Common Files\Java 2011-04-24 19:26 . 2011-04-24 19:26 -------- d-----w- c:\program files\ESET 2011-04-24 05:00 . 2011-04-24 05:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avira 2011-04-24 02:46 . 2011-04-24 02:46 -------- d-----w- c:\documents and settings\User\Application Data\Avira 2011-04-23 03:13 . 2011-04-23 03:13 -------- d-----w- c:\program files\Avira 2011-04-23 03:13 . 2011-04-23 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2011-04-23 03:13 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys 2011-04-23 03:13 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-23 03:13 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2011-04-23 03:13 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2011-04-23 00:14 . 2011-04-24 12:40 -------- d-----w- C:\TDSSKiller_Quarantine . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-03-07 05:33 . 2006-08-23 23:22 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys 2011-02-17 12:32 . 2009-04-15 09:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33 . 2004-08-04 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40 . 2010-11-01 19:36 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19 . 2010-11-01 19:36 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2006-08-23 23:20 2067456 ----a-w- c:\windows\system32\mstscax.dll 2010-11-05 06:12 . 2010-11-06 18:12 44 ---h--w- c:\program files\3e61728d.tmp 2010-09-15 01:02 . 2010-09-15 01:02 1910144 ----a-w- c:\program files\lotrohigh.exe 2009-04-03 20:53 . 2009-04-03 20:25 140066664 ----a-w- c:\program files\wlsetup-all.exe 2009-04-03 20:23 . 2009-04-03 20:23 1144168 ----a-w- c:\program files\wlsetup-custom.exe 2004-10-01 19:00 . 2006-08-23 23:45 40960 ----a-w- c:\program files\Uninstall_CDS.exe 2011-03-18 17:53 . 2011-04-24 21:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-07 39408] "Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-15 2969496] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkyTel"="SkyTel.EXE" [2007-04-04 1822720] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-14 1397760] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-15 557056] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208] "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904] "Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-07 68592] "SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376] "CPU Thermometer"="c:\program files\CPU Thermometer\CPUThermometer.exe" [2009-04-13 766976] "ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-06-10 1092896] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816] "IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-27 98304] "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "5353:TCP"= 5353:TCP:Adobe CSI CS4 "3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server "51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server "51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server "56549:TCP"= 56549:TCP:Pando Media Booster "56549:UDP"= 56549:UDP:Pando Media Booster "3389:TCP"= 3389:TCP:Remote Desktop "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services . R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/22/2011 11:13 PM 135336] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/22/2008 6:53 PM 24652] R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/26/2010 3:20 PM 74752] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1/22/2006 6:37 PM 35840] R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [5/26/2010 3:21 PM 6144] R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] S3 19478F6C;19478F6C;c:\windows\system32\19478F6C.exe --> c:\windows\system32\19478F6C.exe [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232] S3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [8/23/2009 4:06 PM 11136] S3 Normandy;Normandy SR2; [x] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 8:00 AM 14336] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - SSMDRV *NewlyCreated* - WUAUSERV . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper . Contents of the 'Scheduled Tasks' folder . 2011-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] . 2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-179605362-839522115-1004Core.job - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-23 20:58] . 2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-179605362-839522115-1004UA.job - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-23 20:58] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qv3yeq1h.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - user.js: yahoo.homepage.dontask - true . - - - - ORPHANS REMOVED - - - - . HKCU-Run-PowerBar - (no file) HKCU-Run-Aim6 - (no file) HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-27 09:40 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run PowerBar = ????<????4@?h??????w????h???2??w(??????wt?@?l?@?`?b????????????????????????????????????????????????w???????w???w???????w???w?????4@????????????w????l?@?????.??w????t?@???`?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@ . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(740) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll . Completion time: 2011-04-27 09:42:00 ComboFix-quarantined-files.txt 2011-04-27 13:41 . Pre-Run: 325,121,118,208 bytes free Post-Run: 327,678,459,904 bytes free . - - End Of File - - ADC006D0C1EADDD153EFD6D79E0BEA66 DDS . DDS (Ver_11-03-05.01) - NTFSx86 Run by User at 9:43:23.85 on Wed 04/27/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2164 [GMT -4:00] . AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Ahead\InCD\InCDsrv.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Pando Networks\Media Booster\PMB.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Activ Software\ActivDriver\activmgr.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe C:\Documents and Settings\User\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe mRun: [skyTel] SkyTel.EXE mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe" mRun: [inCD] c:\program files\ahead\incd\InCD.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun mRun: [steelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [CPU Thermometer] "c:\program files\cpu thermometer\CPUThermometer.exe" -s mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\qv3yeq1h.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\nos\bin\np_gp.dll FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-22 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-22 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-22 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-22 61960] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-22 24652] R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2006-1-22 35840] R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144] R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] S3 19478F6C;19478F6C;c:\windows\system32\19478f6c.exe --> c:\windows\system32\19478F6C.exe [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-8-23 11136] S3 Normandy;Normandy SR2; [x] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] . =============== Created Last 30 ================ . 2011-04-27 13:16:24 -------- d-sha-r- C:\cmdcons 2011-04-27 13:12:38 98816 ----a-w- c:\windows\sed.exe 2011-04-27 13:12:38 89088 ----a-w- c:\windows\MBR.exe 2011-04-27 13:12:38 256512 ----a-w- c:\windows\PEV.exe 2011-04-27 13:12:38 161792 ----a-w- c:\windows\SWREG.exe 2011-04-24 21:01:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-04-24 21:01:28 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-04-24 21:01:28 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-04-24 21:01:28 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll 2011-04-24 21:01:28 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll 2011-04-24 21:01:28 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-04-24 21:01:28 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-04-24 21:01:28 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe 2011-04-24 21:01:28 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-04-24 21:01:28 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-04-24 20:48:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan 2011-04-24 20:48:11 -------- d-----w- c:\program files\McAfee Security Scan 2011-04-24 20:48:06 32592 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll 2011-04-24 19:26:19 -------- d-----w- c:\program files\ESET 2011-04-24 02:46:02 -------- d-----w- c:\docume~1\user\applic~1\Avira 2011-04-23 03:13:41 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-23 03:13:41 -------- d-----w- c:\program files\Avira 2011-04-23 03:13:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-23 00:14:58 -------- d-----w- C:\TDSSKiller_Quarantine . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2010-11-05 06:12:14 44 ---h--w- c:\program files\3e61728d.tmp 2010-09-15 01:02:37 1910144 ----a-w- c:\program files\lotrohigh.exe 2009-04-03 20:53:28 140066664 ----a-w- c:\program files\wlsetup-all.exe 2009-04-03 20:23:50 1144168 ----a-w- c:\program files\wlsetup-custom.exe 2004-10-01 19:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe . ============= FINISH: 9:43:31.87 ===============
  5. Thank you so much for your help! I truly appreciate it MalwareBytes Log : Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6440 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/25/2011 8:52:31 AM mbam-log-2011-04-25 (08-52-31).txt Scan type: Quick scan Objects scanned: 226940 Time elapsed: 13 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS Log : . DDS (Ver_11-03-05.01) - NTFSx86 Run by User at 8:54:12.35 on Mon 04/25/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.1974 [GMT -4:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} . ============== Running Processes =============== . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Ahead\InCD\InCDsrv.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\ClamWin\bin\ClamTray.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\CPU Thermometer\CPUThermometer.exe C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Activ Software\ActivDriver\activmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Pando Networks\Media Booster\PMB.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Avira\AntiVir Desktop\avnotify.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\User\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll uRun: [PowerBar] uRun: [Aim6] uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [skyTel] SkyTel.EXE mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe" mRun: [inCD] c:\program files\ahead\incd\InCD.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun mRun: [steelSeries World of Warcraft MMO Gaming Mouse] c:\program files\steelseries\world of warcraft mmo gaming mouse\WoWMHID.exe mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [<NO NAME>] mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [CPU Thermometer] "c:\program files\cpu thermometer\CPUThermometer.exe" -s mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\qv3yeq1h.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\nos\bin\np_gp.dll FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll . ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-22 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-22 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-22 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-22 61960] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-22 24652] R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2010-5-26 74752] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2006-1-22 35840] R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2010-5-26 6144] R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?] R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?] S3 19478F6C;19478F6C;c:\windows\system32\19478f6c.exe --> c:\windows\system32\19478F6C.exe [?] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016] S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [2009-8-23 11136] S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] . =============== Created Last 30 ================ . 2011-04-24 21:01:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2011-04-24 21:01:28 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll 2011-04-24 21:01:28 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll 2011-04-24 21:01:28 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll 2011-04-24 21:01:28 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll 2011-04-24 21:01:28 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll 2011-04-24 21:01:28 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll 2011-04-24 21:01:28 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe 2011-04-24 21:01:28 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll 2011-04-24 21:01:28 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll 2011-04-24 20:48:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan 2011-04-24 20:48:11 -------- d-----w- c:\program files\McAfee Security Scan 2011-04-24 20:48:06 32592 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll 2011-04-24 20:41:13 472808 ----a-w- c:\windows\system32\REN2775.tmp 2011-04-24 19:26:19 -------- d-----w- c:\program files\ESET 2011-04-24 02:46:02 -------- d-----w- c:\docume~1\user\applic~1\Avira 2011-04-23 03:13:41 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-04-23 03:13:41 -------- d-----w- c:\program files\Avira 2011-04-23 03:13:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira 2011-04-23 00:55:17 711168 ----a-w- c:\windows\isRS-000.tmp 2011-04-23 00:14:58 -------- d-----w- C:\TDSSKiller_Quarantine . ==================== Find3M ==================== . 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys 2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec 2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll 2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll 2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll 2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe 2010-11-05 06:12:14 44 ---h--w- c:\program files\3e61728d.tmp 2010-09-15 01:02:37 1910144 ----a-w- c:\program files\lotrohigh.exe 2009-04-03 20:53:28 140066664 ----a-w- c:\program files\wlsetup-all.exe 2009-04-03 20:23:50 1144168 ----a-w- c:\program files\wlsetup-custom.exe 2004-10-01 19:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe . ============= FINISH: 8:54:44.42 ===============
  6. I've been unable to remove a Google redirect virus, despite using Malwarebytes, TDSKiller, Avira Anti Virus and fumbling along on my own. I think I need some pro help. Looking at the other people struggling with this on the forum I went ahead and downloaded Rootkit Unhooker (but I don't see a Reports tab the instructions mention). Here's the report. Hope I ran it as I was supposed to : RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of processors #4 ============================================== >SSDT State ============================================== ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x806240F0-->B87DE31E [unknown module filename] ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x805D1018-->B87DE314 [unknown module filename] ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x8062458C-->B87DE323 [unknown module filename] ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x8062475C-->B87DE32D [unknown module filename] ntkrnlpa.exe-->NtLoadKey, Type: Address change 0x80626314-->B87DE332 [unknown module filename] ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805CB440-->B87DE300 [unknown module filename] ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x805CB6CC-->B87DE305 [unknown module filename] ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x806261C4-->B87DE33C [unknown module filename] ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x80625AD0-->B87DE337 [unknown module filename] ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80622662-->B87DE328 [unknown module filename] ============================================== >Shadow ============================================== ============================================== >Processes ============================================== 0x8B038BD0 [4] System 0x895A8CD0 [132] C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH, Antivirus Scheduler) 0x89ECC788 [264] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit)) 0x8AC766B8 [372] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI) 0x8ABF2298 [416] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java Quick Starter Service) 0x8962ADA0 [584] C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH, Antivirus On-Access Service) 0x8ABA29F8 [628] C:\Program Files\Microsoft LifeCam\MSCamS32.exe (Microsoft Corporation, MsCamSvc.exe) 0x8AB83550 [640] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager) 0x8AB45B90 [704] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process) 0x8ABE2278 [736] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application) 0x8AACADA0 [780] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app) 0x8AC2FDA0 [792] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version)) 0x8AAB0960 [856] C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation, Windows Security Center Notification App) 0x8AB45718 [956] C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module) 0x8AB436F0 [976] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8AB0D860 [992] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8ABE0A50 [1052] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8A00EDA0 [1096] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8AAE9BB8 [1136] C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation, ViewMgr) 0x8AAD7958 [1148] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8AB3B1E8 [1168] C:\Program Files\Ahead\InCD\InCDsrv.exe (Nero AG, incdsrv) 0x8AC0AC18 [1296] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8AB04990 [1364] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x8AA63A20 [1536] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App) 0x8ABA6DA0 [1592] C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module) 0x8AAF9DA0 [1628] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services) 0x89549638 [1660] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox) 0x8AB05DA0 [1692] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service) 0x8A49EDA0 [1716] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service) 0x8ABDDA60 [1788] C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc., Intuit Update Service) 0x8AE076D0 [2116] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc., Catalyst Control Center: Host application) 0x8ABB49A8 [2168] C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp., PowerDVD RC Service) 0x8ABB4DA0 [2176] C:\Program Files\Ahead\InCD\InCD.exe (Nero AG, InCD) 0x8AAC64C0 [2212] C:\Program Files\lg_fwupdate\fwupdate.exe (BitLeader, -) 0x8AAB7DA0 [2264] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp., Realtek HD Audio Control Panel) 0x8AB5D4A0 [2332] C:\Program Files\ClamWin\bin\ClamTray.exe (alch, ClamWin Antivirus) 0x8ABEB930 [2392] C:\WINDOWS\vVX3000.exe (Microsoft Corporation, Microsoft LifeCam Device Application) 0x8AC21A70 [2584] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc., Quick Search Box) 0x8AB9ADA0 [2596] C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe (-, HID MFC Application) 0x8AC37320 [2632] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc., AcroTray) 0x8AAC26E8 [2728] C:\Program Files\CPU Thermometer\CPUThermometer.exe 0x8AA8C738 [2824] C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe (Promethean Technologies Group Ltd, ActivControl v2) 0x8AA8E320 [2860] C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC., Canon My Printer) 0x8AAA6368 [2896] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC., Canon IJ Network Scan Utility) 0x8AA5ABE0 [2952] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper) 0x89628DA0 [2964] C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH, AntiVir shadow copy service) 0x8AA575D8 [3000] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java Update Scheduler) 0x8AC90320 [3304] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc., Catalyst Control Center: Monitoring program) 0x8AA8F6B0 [3408] C:\Program Files\Activ Software\ActivDriver\ActivMgr.exe (-, ActivManager) 0x8A105DA0 [3504] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader) 0x8A0D9DA0 [3560] C:\Program Files\Pando Networks\Media Booster\PMB.exe (-, Pando Media Booster) 0x89FC8AB0 [3792] C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc., Java Update Checker) 0x8962FDA0 [3796] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH, Antivirus System Tray Tool) 0x8AB82A30 [4184] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer) 0x895E5698 [4736] C:\Documents and Settings\User\Desktop\RkU3.8.388.590\MustBeRandomlyNamed\7r0iOhSiwT8hh2arBD.exe (UG North, RKULE, SR2 Normandy) 0x8A0F2200 [5400] C:\Documents and Settings\User\Desktop\tdsskiller.exe (Kaspersky Lab ZAO, TDSS rootkit removing tool) ============================================== >Drivers ============================================== 0xB7239000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5857280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver) 0xAAC0B000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4542464 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver) 0xBD220000 C:\WINDOWS\System32\ati3duag.dll 3960832 bytes (ATI Technologies Inc. , ati3duag.dll) 0xBD5E7000 C:\WINDOWS\System32\ativvaxx.dll 2674688 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver) 0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System) 0x804D7000 PnpManager 2154496 bytes 0x804D7000 RAW 2154496 bytes 0x804D7000 WMIxWDM 2154496 bytes 0xAA813000 C:\WINDOWS\system32\DRIVERS\VX3000.sys 1957888 bytes (Microsoft Corporation, Microsoft LifeCam VX3000 Device Driver) 0xBF800000 Win32k 1859584 bytes 0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver) 0xBD10C000 C:\WINDOWS\System32\atikvmag.dll 716800 bytes (ATI Technologies Inc., Virtual Command And Memory Manager) 0xBD060000 C:\WINDOWS\System32\ati2cqag.dll 704512 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module) 0xB7E5B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver) 0xAA9F1000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr) 0xBD1BB000 C:\WINDOWS\System32\atiok3x2.dll 413696 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component) 0xB7109000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver) 0xAAAD6000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver) 0xA72FB000 C:\WINDOWS\system32\drivers\xcpip.sys 364544 bytes 0xA7689000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver) 0xBD012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver) 0xBD874000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver) 0xA6AAC000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack) 0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT) 0xA795D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr) 0xB7E2E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver) 0xA203F000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer) 0xAAA61000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver) 0xB71FD000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a) 0xAAAAE000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver) 0xA6449000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement) 0xAB060000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices)) 0xB71D9000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver) 0xB71B6000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library) 0xA7120000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export)) 0xAAA8C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock) 0x806E5000 ACPI_HAL 134400 bytes 0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL) 0xB7F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager) 0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver) 0xAB084000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 110592 bytes (ATI Research Inc., Ati High Definition Audio Function Driver) 0xB7E14000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver) 0xAAB42000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver) 0xB7F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver) 0xAA733000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes 0xB7EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface) 0xB7178000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption)) 0xA6434000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver) 0xA77F7000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper) 0xB71A2000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver) 0xB7225000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver) 0xB718F000 C:\WINDOWS\system32\DRIVERS\activhidsermini.sys 77824 bytes (Promethean Technologies Ltd, Promethean Activboard) 0xAAB2F000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver) 0xA737C000 C:\WINDOWS\system32\drivers\xpsec.sys 77824 bytes 0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver) 0xA202D000 C:\WINDOWS\system32\drivers\klmd.sys 73728 bytes 0xB7EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver) 0xA7924000 C:\WINDOWS\System32\Drivers\adfs.SYS 69632 bytes (Adobe Systems, Inc., Adobe Drive File System Driver) 0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator) 0xB7167000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler) 0xB77FF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver) 0xB8228000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver) 0xB8248000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver) 0xB82E8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter) 0xB8238000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver) 0xA78CC000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter) 0xB783F000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver) 0xB82B8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB) 0xB80E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll) 0xB8268000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver) 0xB784F000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0) 0xB80C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver) 0xB8288000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol) 0xB785F000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver) 0xB8218000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver) 0xB80B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager) 0xB8278000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver) 0xB80A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver) 0xB82C8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy) 0xB82A8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver) 0xB8208000 C:\WINDOWS\system32\DRIVERS\atl01_xp.sys 36864 bytes (Attansic Technology corporation., Attansic L1 Gigabit Ethernet Controller ndis miniport driver) 0xB80D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver) 0xB8258000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library) 0xB81F8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver) 0xB8298000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier) 0xB8318000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver) 0xA6FA0000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver) 0xB8308000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver) 0xB83C0000 C:\WINDOWS\system32\DRIVERS\activmouse.sys 32768 bytes (Promethean Technologies Ltd, Promethean Multiple Screen Mouse Filter) 0xB8350000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver) 0xB83F0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver) 0xB83F8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver) 0xB84A8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver) 0xB8390000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library) 0xB84B0000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver) 0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension) 0xB8388000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter) 0xB83B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver) 0xB83B8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver) 0xB8408000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver) 0xB84A0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver) 0xB83E0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver) 0xB83E8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver) 0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager) 0xB83A0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library) 0xB83A8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver) 0xB8398000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper) 0xB8410000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver) 0xB8560000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xB7AA5000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver) 0xA7BDE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver) 0xB7DD4000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator) 0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver) 0xAABEF000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver) 0xB7101000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices) 0xB7DEC000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer) 0xB7A9D000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver) 0xB7AB1000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver) 0xB7DE8000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver) 0xB85DC000 C:\WINDOWS\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility) 0xB8612000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter) 0xB85E8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver) 0xB8604000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes 0xB85E6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver) 0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL) 0xB85EA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator) 0xB862C000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver) 0xB85EC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport) 0xB85DE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator) 0xB85E0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver) 0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll) 0xB87B8000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver) 0xB874C000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk) 0xB87A3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver) 0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver) ============================================== >Stealth ============================================== 0x05770000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 102400 bytes 0x05A10000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 102400 bytes 0x8A279BEE Unknown page with executable code, 1042 bytes 0x055C0000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 1077248 bytes 0x01260000 Hidden Image-->CLI.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 110592 bytes 0x059F0000 Hidden Image-->Branding.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 110592 bytes 0x05AE0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 110592 bytes 0x8A287B76 Unknown page with executable code, 1162 bytes 0x00D00000 Hidden Image-->MOM.Implementation.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 118784 bytes 0x03F80000 Hidden Image-->MOM.Implementation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 118784 bytes 0x08260000 Hidden Image-->CLI.Component.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 1232896 bytes 0x05730000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 126976 bytes 0x8A265F62 Unknown page with executable code, 158 bytes 0x08510000 Hidden Image-->CLI.Aspect.Grid.HydraVision.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 159744 bytes 0x8A263975 Unknown page with executable code, 1675 bytes 0x05130000 Hidden Image-->CLI.Caste.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 167936 bytes 0x08540000 Hidden Image-->CLI.Aspect.DeskMan.HydraVision.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 167936 bytes 0x08B80000 Hidden Image-->CLI.Aspect.Settings.HydraVision.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 167936 bytes 0x07B70000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 1748992 bytes 0x07EA0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 192512 bytes 0x038B0000 Hidden Image-->System.XML.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 2060288 bytes 0x08620000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 208896 bytes 0x069E0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 217088 bytes 0x08570000 Hidden Image-->CLI.Aspect.MDProp.HydraVision.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 225280 bytes 0x8A27A641 Unknown page with executable code, 2495 bytes 0x085B0000 Hidden Image-->CLI.Aspect.MultiDesk.HydraVision.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 249856 bytes 0x8A27B5F2 Unknown page with executable code, 2574 bytes 0x04650000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 266240 bytes 0x043A0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 270336 bytes 0x07DE0000 Hidden Image-->CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 282624 bytes 0x033B0000 Hidden Image-->MOM.Foundation.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 28672 bytes 0x03CD0000 Hidden Image-->LOG.Foundation.Implementation.Private.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 28672 bytes 0x01250000 Hidden Image-->MOM.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x01280000 Hidden Image-->LOG.Foundation.Implementation.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04040000 Hidden Image-->CLI.Component.Runtime.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04CF0000 Hidden Image-->DEM.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x044A0000 Hidden Image-->AEM.Server.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04540000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04520000 Hidden Image-->AEM.Plugin.DPPE.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04BD0000 Hidden Image-->AEM.Plugin.WinMessages.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x051B0000 Hidden Image-->AEM.Plugin.GD.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04D00000 Hidden Image-->DEM.Graphics.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05170000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05220000 Hidden Image-->ResourceManagement.Foundation.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05200000 Hidden Image-->AEM.Actions.CCAA.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05360000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x061F0000 Hidden Image-->DEM.Graphics.I0706.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x054E0000 Hidden Image-->AEM.Plugin.EEU.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x054D0000 Hidden Image-->CLI.Component.Client.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05560000 Hidden Image-->CLI.Component.Wizard.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05590000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05920000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05AD0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x05E90000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06010000 Hidden Image-->DEM.Graphics.I0912.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06120000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06190000 Hidden Image-->DEM.Graphics.I0906.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x061C0000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x061E0000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06260000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06290000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x062F0000 Hidden Image-->DEM.Graphics.I0703.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06380000 Hidden Image-->atixclib.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x066B0000 Hidden Image-->CLI.Caste.HydraVision.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06750000 Hidden Image-->CLI.Aspect.MDProp.HydraVision.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06740000 Hidden Image-->CLI.Aspect.MultiDesk.HydraVision.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06730000 Hidden Image-->CLI.Aspect.Grid.HydraVision.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06790000 Hidden Image-->AEM.Plugin.REG.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x067E0000 Hidden Image-->APM.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x06B50000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x077C0000 Hidden Image-->CLI.Caste.HydraVision.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x078B0000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x084B0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x08500000 Hidden Image-->CLI.Caste.HydraVision.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 28672 bytes 0x04030000 Hidden Image-->System.Data.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 2961408 bytes 0x8A27A42B Unknown page with executable code, 3029 bytes 0x04BE0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 307200 bytes 0x03CF0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 307200 bytes 0x032D0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 307200 bytes 0x034B0000 Hidden Image-->System.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 3190784 bytes 0x07EE0000 Hidden Image-->CLI.Aspect.HydraVision.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 323584 bytes 0x8A24528D Unknown page with executable code, 3443 bytes 0x8A27CE9E Unknown page with executable code, 354 bytes 0x043A0000 Hidden Image-->NEWAEM.Foundation.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 36864 bytes 0x03FD0000 Hidden Image-->CLI.Foundation.XManifest.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x04030000 Hidden Image-->AxInterop.WBOCXLib.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x040E0000 Hidden Image-->NEWAEM.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x04510000 Hidden Image-->Interop.WBOCXLib.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x054B0000 Hidden Image-->CLI.Component.Wizard.Shared.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x05A70000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x05A30000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x05C10000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x05C00000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x05C30000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x05C60000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x066A0000 Hidden Image-->CLI.Caste.HydraVision.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x06780000 Hidden Image-->CLI.Aspect.Settings.HydraVision.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x06770000 Hidden Image-->CLI.Aspect.DeskMan.HydraVision.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x067F0000 Hidden Image-->CLI.Aspect.VeryLargeDesktop.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x078A0000 Hidden Image-->CLI.Component.Dashboard.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 36864 bytes 0x8A266127 Unknown page with executable code, 3801 bytes 0x08660000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 389120 bytes 0x050C0000 Hidden Image-->CLI.Caste.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 397312 bytes 0x07E30000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 405504 bytes 0x086C0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 405504 bytes 0x054F0000 Hidden Image-->CLI.Component.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 413696 bytes 0x056B0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 421888 bytes 0x078C0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 421888 bytes 0x03840000 Hidden Image-->System.configuration.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 438272 bytes 0x01200000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 45056 bytes 0x01270000 Hidden Image-->LOG.Foundation.Private.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 45056 bytes 0x04370000 Hidden Image-->CCC.Implementation.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 45056 bytes 0x00D50000 Hidden Image-->CCC.Implementation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x03330000 Hidden Image-->LOG.Foundation.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x01240000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x04060000 Hidden Image-->ATICCCom.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x05910000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x05A60000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x06720000 Hidden Image-->CLI.Aspect.Settings.HydraVision.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x066D0000 Hidden Image-->CLI.Aspect.MultiDesk.HydraVision.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x066C0000 Hidden Image-->CLI.Aspect.Grid.HydraVision.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x066F0000 Hidden Image-->CLI.Aspect.DeskMan.HydraVision.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x066E0000 Hidden Image-->CLI.Aspect.MDProp.HydraVision.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 45056 bytes 0x04D20000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 462848 bytes 0x03020000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 471040 bytes 0x044B0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 479232 bytes 0x04E40000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 5033984 bytes 0x00F10000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 53248 bytes 0x04010000 Hidden Image-->CLI.Foundation.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x040D0000 Hidden Image-->AEM.Server.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x044C0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x04CE0000 Hidden Image-->DEM.Graphics.I0601.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x05570000 Hidden Image-->CLI.Caste.Graphics.Wizard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x058D0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x058C0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x058E0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x06130000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x06170000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x069B0000 Hidden Image-->CLI.Component.Client.Shared.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 53248 bytes 0x08730000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 585728 bytes 0x06910000 Hidden Image-->CLI.Component.Systemtray.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 593920 bytes 0x8A2D0568 Unknown thread object [ ETHREAD 0x8ACC6130 ] , 600 bytes 0x8A24667C Unknown thread object [ ETHREAD 0x8AAFCDA8 ] , 600 bytes 0x04000000 Hidden Image-->CLI.Component.Runtime.Shared.Private.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 61440 bytes 0x05AA0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 61440 bytes 0x05EE0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 61440 bytes 0x06240000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 61440 bytes 0x06230000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 61440 bytes 0x05410000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 634880 bytes 0x089A0000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 667648 bytes 0x03FA0000 Hidden Image-->CLI.Component.SkinFactory.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 69632 bytes 0x03FE0000 Hidden Image-->CLI.Component.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 69632 bytes 0x06150000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 69632 bytes 0x067C0000 Hidden Image-->APM.Server.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 69632 bytes 0x08980000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 69632 bytes 0x06020000 Hidden Image-->ResourceManagement.Foundation.Implementation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 749568 bytes 0x8A262CFD Unknown page with executable code, 771 bytes 0x037E0000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 77824 bytes 0x01280000 Hidden Image-->LOG.Foundation.Implementation.dll [ EPROCESS 0x8AC90320 ] PID: 3304, 77824 bytes 0x032B0000 Hidden Image-->LOG.Foundation.Implementation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x05A40000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x05C40000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x05D70000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x05EA0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x06200000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x08600000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 77824 bytes 0x03F70000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x8ABDDA60 ] PID: 1788, 778240 bytes 0x03820000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x8ABDDA60 ] PID: 1788, 86016 bytes 0x040A0000 Hidden Image-->ADL.Foundation.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 86016 bytes 0x05AB0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 86016 bytes 0x05A80000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 86016 bytes 0x05EC0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 86016 bytes 0x084E0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 86016 bytes 0x8A287C96 Unknown page with executable code, 874 bytes 0x088A0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.dll [ EPROCESS 0x8AE076D0 ] PID: 2116, 888832 bytes ============================================== >Files ============================================== ============================================== >Hooks ============================================== ntkrnlpa.exe+0x0002D554, Type: Inline - RelativeJump 0x80504554-->80504514 [ntkrnlpa.exe] ntkrnlpa.exe+0x0002D57C, Type: Inline - RelativeJump 0x8050457C-->8050453C [ntkrnlpa.exe] ntkrnlpa.exe+0x0002D608, Type: Inline - RelativeJump 0x80504608-->805045C8 [ntkrnlpa.exe] ntkrnlpa.exe+0x0002D668, Type: Inline - RelativeJump 0x80504668-->80504628 [ntkrnlpa.exe] ntkrnlpa.exe+0x0002D784, Type: Inline - RelativeJump 0x80504784-->80504744 [ntkrnlpa.exe] ntkrnlpa.exe+0x0002D85C, Type: Inline - RelativeJump 0x8050485C-->8050481C [ntkrnlpa.exe] ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe] [132]sched.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [132]sched.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [132]sched.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [132]sched.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [132]sched.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [1592]ati2evxx.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [1592]ati2evxx.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [1592]ati2evxx.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [1592]ati2evxx.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [1592]ati2evxx.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [1660]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->00000000 [firefox.exe] [1692]AppleMobileDeviceService.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [1692]AppleMobileDeviceService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [1692]AppleMobileDeviceService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [1692]AppleMobileDeviceService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [1692]AppleMobileDeviceService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [1716]mDNSResponder.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [1716]mDNSResponder.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [1716]mDNSResponder.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [1716]mDNSResponder.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [1716]mDNSResponder.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [1788]IntuitUpdateService.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [1788]IntuitUpdateService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [1788]IntuitUpdateService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [1788]IntuitUpdateService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [1788]IntuitUpdateService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [2116]CCC.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [2116]CCC.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [2116]CCC.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [2116]CCC.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [2116]CCC.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [2168]PDVDServ.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [2168]PDVDServ.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [2168]PDVDServ.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [2168]PDVDServ.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [2168]PDVDServ.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [2212]fwupdate.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [2212]fwupdate.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [2212]fwupdate.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [2212]fwupdate.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [2212]fwupdate.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [2584]GoogleQuickSearchBox.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [2584]GoogleQuickSearchBox.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [2584]GoogleQuickSearchBox.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [2584]GoogleQuickSearchBox.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [2584]GoogleQuickSearchBox.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [264]iPodService.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [264]iPodService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [264]iPodService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [264]iPodService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [264]iPodService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [2952]iTunesHelper.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [2952]iTunesHelper.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [2952]iTunesHelper.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [2952]iTunesHelper.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [2952]iTunesHelper.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [2964]avshadow.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [2964]avshadow.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [2964]avshadow.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [2964]avshadow.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [2964]avshadow.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [3000]jusched.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [3000]jusched.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [3000]jusched.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [3000]jusched.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [3000]jusched.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [3304]MOM.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [3304]MOM.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [3304]MOM.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [3304]MOM.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [3304]MOM.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [3408]ActivMgr.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [3408]ActivMgr.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [3408]ActivMgr.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [3408]ActivMgr.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [3408]ActivMgr.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [3560]PMB.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C84495D-->00000000 [unknown_code_page] [3560]PMB.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [3560]PMB.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [3560]PMB.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [3560]PMB.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [3560]PMB.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [372]wmiprvse.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [372]wmiprvse.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [372]wmiprvse.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [372]wmiprvse.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [372]wmiprvse.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [3792]jucheck.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [3792]jucheck.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [3792]jucheck.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [3792]jucheck.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [3792]jucheck.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [416]jqs.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [416]jqs.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [416]jqs.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [416]jqs.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [416]jqs.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [4184]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll] [4184]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll] [4184]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll] [4184]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll] [4184]explorer.exe-->user32.dll-->DisplayExitWindowsWarnings, Type: Inline - RelativeJump 0x7E459F91-->00000000 [unknown_code_page] [4184]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll] [4184]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll] [4184]explorer.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [4184]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll] [4184]explorer.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [4184]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [4184]explorer.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [4184]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] [584]avguard.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump 0x71AB3E2B-->00000000 [unknown_code_page] [584]avguard.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page] [584]avguard.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page] [584]avguard.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page] [584]avguard.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page] !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =) I also cleared out Windows Security 2011 virus yesterday too, if that info is useful. Thank you for any help you can offer!
  7. Thank you so much for your help so far! Making real progress. Booted with Avira and removed / renamed some items. Rebooted, was able to install Malwarebytes and run it. Removed items in Malwarebytes, rebooted, and ran HijackThis. Here is the Malwarebytes log : Malwarebytes' Anti-Malware 1.34 Database version: 1761 Windows 5.1.2600 Service Pack 2 2/14/2009 11:00:12 AM mbam-log-2009-02-14 (11-00-12).txt Scan type: Quick Scan Objects scanned: 72229 Time elapsed: 4 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 17 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall (Adware.Mirar) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\UACdxcpawqc.dll.XXX (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACmxmnmwfy.dll.XXX (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACorsaorju.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACwjenbitr.dll.XXX (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\UACwylkxjty.sys.XXX (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\csrssc.exe.XXX (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\mir12g.exe.XXX (Adware.Mirar) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\Temporary Internet Files\Content.IE5\7581EK7T\l26[1].exe.XXX (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1IF6NOT\mir12g[1].exe.XXX (Adware.Mirar) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\Temporary Internet Files\Content.IE5\CHQVCPMF\clicker[1].txt.XXX (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\John\Local Settings\Temp\Temporary Internet Files\Content.IE5\XYZ9ATLM\26[1].exe.XXX (Trojan.Dropper) -> Quarantined and deleted successfully. C:\WINDOWS\kernel32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACmnqgrsmn.log (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\UACrmddefrq.dat (Trojan.Agent) -> Quarantined and deleted successfully. Here is the Hijack This log : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:03:27 AM, on 2/14/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ClamWin Antivirus\bin\ClamTray.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\DOCUME~1\John\LOCALS~1\Temp\clclean.0001 C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\RK_Launcher_04_Beta\RKLauncher.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin Antivirus\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1 O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Shortcut to RKLauncher.lnk = C:\Program Files\RK_Launcher_04_Beta\RKLauncher.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9281 bytes Are we clean? Thank you again!
  8. Thank you for the quick reply. ComboFix won't install. I downloaded it to the infected computer and tried to install in SafeMode. Double clicked the icon, got the "Unsigned" warning screen, clicked Run, and then nothing. This is the same thing that happens when I try to install Malewarebytes. I rebooted a few times and managed to get into regular Windows mode. The instructions for ComboFix said to disable existing antivirus software so I turned off SpyBot and ClamWin AntiVirus. Doubleclicked ComboFix, clicked Run, and this time a small progress bar appeared but a few seconds later I got a warning that said CombFix was corrupt and to redownload it. Deleted ComboFix, tried to navigate to a site to redownload ComboFix but my browser is completely hijacked. Downloaded ComboFix on a clean computer, moved it to the infected computer, tried to run it and it quit out with no warning.
  9. Ran into MS AntiSpyware 2009. Downloaded mbam-setup.exe, but it wouldn't install. After searching these forums saw Dr. Cure It mentioned. Could get that to install and run. It found and deleted 14 items. Tried running malwarebytes setup again, but it still wouldn't launch. Left the computer for a bit and when I came back there was a blue screen with something about physical memory dump. Rebooted, but Windows wouldn't start. Can get to safemode, but Malwarebytes still won't install in safe mode. I can't even register or post to this forum from that computer (my browser was being hijacked when trying to get to anti-spyware sites. I blame the virus.) Here's a Hijack This log run from safe mode: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:33:31 AM, on 2/13/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/MemberHome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin Antivirus\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1 O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Shortcut to RKLauncher.lnk = C:\Program Files\RK_Launcher_04_Beta\RKLauncher.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 7480 bytes Help!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.