Jump to content

'Win 7 Internet Security 2012' took over


Recommended Posts

Was surfing, took a break to get a snak. When I came back, I noticed the new window explaining that my Dell laptop had been taken over by a virus and to click 'here' to download the software necessary to fix everything. Yea, right.

I've seen this kind of 'come on' before, so I knew what was up. I tried to execute the Malwarebytes software, which was supposed to be running at bootup. It gave me a 'Your trial period is over, so you are not allowed to use these functions' - type of message (that figures - Murphy at work). When I tried to run a scan or update the database, nothing would happen. I also had Webroot running, and it also didn't notice anything unusual (Murphy again). Attempting to manually execute Webroot resulted in absolutely no visible result, so I assumed that my 'kidnapper' had prevented all this.

I turned off our wireless router in an effort to prevent the 'kidnapper' from spreading to any other computers on our LAN. Then, I shut my laptop down and rebooted, selecting the Administrator identity. I don't use it very often, so the first attempt at presenting the password failed. Using the hint, I received the /Welcome' screen. After more than an hour, the Welcome screen still hasn't finished coming up and the little rotating circle is still rotating.

The second computer on our LAN is my wife's Dell laptop (XP), which she uses on-the-job and I don't want to expose it to this problem unnecessarily.

The third (and last)computer on the LAN is an old Sony Vaio running Win 2000. I disconnected the router from the modem and connected the modem to the Vaio directly with an Ethernet cable. That is how I am communicating with you, now.

This is probably more information than you want but ... Murphy's Law and all that.

I've read some of the other entries in this forum and you always tell the people to download one or more programs to be run. So, how do I do that? I could download it onto the Sony, transfer it to a Thumb drive, move the Thumb drive to my laptop (hope that it isn't also blocked), and execute it. Is that what you recommend? If not, what?

So, "I'm infected and don't know what to do" .... Now what?

Freddy02

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

-screen317

Link to post
Share on other sites

Screen317 - Thanks for the reply, I was starting to go nuts - so much so that my wife gave me this list of things to do around the house just to get me thinking about something else - ha!

My impatience showed early. I figured out how to get on in SAFE MODE - in both users. I found my copy of mbam.exe. I decided that since it should have run and didn't, I would manually run it now, so I did. It updated itself and proceeded to do a scan, the resulting log-file (01) of which is posted below.

Since Webroot should have run and also didn't, I executed it also, the results showing the quarantined items, but no log-file. I created jpgs of the data shown via the PrntScr key. The list of quarantined items is shown in 3 parts (02a,b,c), which include items quarrantined prior to this incident, but I don't know which ones in the list they are. The 3 JPGs showing them are posted below following the mbam log-file. Subsequently, I deleated the quarrantined files.

I re-ran mbam to see if anything was left behind. Nothing was found. The log file (03) is posted below following the jpgs.

Wanting to do a backup, and in SAFE MODE, not finding te data in the other user, plus thinking that ADMINISTRATOR was untouched, or unaffected, I logged on as ADMINISTRATOR (normally, not in SAFE MODE) copied the data to a new folder on the C:\ drive (accessable by all users) and shut down. In SAFE MODE, I proceeded to backup my data, to my Win 2K Sony Vaio via an external USB drive. That kept me entertained - ha!

I ran TDSSKiller.exe several times. It did not find anything, but it made a log file each time and they (04a,b) (05-2a,b) are posted below. NOTE: TDSSKiller did not prompt me to reboot, but I did (each time) anyway.

I ran DDS.scr and '05-1) dds.txt' will be posted following the TDSSKiller log-files 04a,b, below and before the TDSSKiller log-files 05-2a,b.

The above 2 paragraphs are the summary of my actions. Following are the details. I'm not sure you will be interested, but just in case .... If not, search for "+++++++" to find the beginning of my postings.

----------------------

After running TDSSKiller in SAFE Admin mode and finding the log file (relabeled it to 4), I realized that I had killed the window without seeing anything about rebooting, so I decided to rerun TDSSKiller. This time, I booted into Un-SAFE Admin, & ran TDSSKiller. While waiting for it to do something, the screen dimmed and a warning message came up by the User Account Control saying, "..... allow ... make changes to ... computer?" I answered in the affirmative. The message went away, the screen undimmed, the circular "I'm computing" came up - but only in the folder window containing TDSSKiller.exe. Waited @ 10 min. Attempted to Shut Down ... it wouldn't, so I powered down.

Rebooted into SAFE Admin again to determine if a log file had been created - it had not. Changed UAC from 'Default' to 'Never'. Rebooted into 'Un-Safe' Admin & xeq'd TDSKiller. It Initialized, a start screen came up indicating execution. A final screen came up saying "No threats found". I killed the screen, found the log file created (renamed the file 4b). When I attempted to rename the previous log file (4) to (4a), the window dimmed and the address box at the top began turning green from left to right and the curser turned to a rotating circle. At this time, Malwarebyte's program displayed an error notice (error #2). I waited another 5 min, but the screen wasn't 'released'. When I attempted to Shut Down - no response. Powered down.

Booted into SAFE Admin mode. Renamed the (4) log file to (4a). Xeq'd dds.scr. The log file came up in Notepad. Read it briefly and closed the editor expecting to find the file on the desktop. Not there. Finally found it and copied it to the desktop as '05-1) dds.txt'.

Began wondering if there was any use running these programs in SAFE MODE, since it is not a 'normal' execution. Shut Down and booted into Un-SAFE Admin mode & xeq'd dds. The computer seemed to go into 'Never-Never Land'. Then Malwarebyte's error screen (error #2) came up. Decided to kill the notice and try xeq'ing DDS again - no response. Tried to Shut Down - no response. Attempted to xeq the Task Manager. Response to get to the menu seemed slow, but I waited. The screen changed to black with a white curser, and there it hung. Powered down.

Attempted to boot into SAFE Other User (not Admin) in order to xeq the 2 programs. While attempting to open TDSSKiller's folder (on Admin's desktop), I received a "C:\Users\Bill\Cookies is not accessible" message. From this I deduced that TDSSKiller's location was not unimportant and tried to copy it over entryOther User's desktop. Execution inside the WE window seemed to hang, so killed the window. 2-clicking on My Computer to get another WE window up - no response. I powered down.

I booted into SAFE Other User, looked for any dds log files from the previous execution attempts and found none. I copied TDSSKiller's folder and DDS.scr from Admin's desktop to Other User's desktop. Shut Down (no problem). Booted into UnSAFE Other User. After the WELCOME screen went away, the desktop never appeared. Then a dialogue window at the bottom left of the screen appeared. 'Windows not responding. It may respond if you wait. End Process or Wait?' I chose End Process. No apparent result, but I did notice the hard drive indicator light was blinking rapidly. I decided to Power Down.

I Booted into UnSAFE Other User mode again. The WELCOME screen seemed to take forever (5+ min), so I powered down.

At this point, I decided that I would create my next entry to the forum. While typing this description, I found that my notes weren't clear about how I started, so I reran TDSSKiller in both SAFE (05-2a) & UnSafe (05-2b) Admin to be sure of the sequence of events. Both times, no threats were found and the program ran to completion. Afterwards, in UnSafe Admin, Malwarebytes Error #2 notice came up. When I attempted to access the log files just created, the address box in the WE window began turning green and the moving circle appreared next to the curser. The system acted 'hung'. Shut Down - no response. Powered Down.

Attempted to boot into UnSafe Other User (where all my problems originally began) and run the programs. The desktop screen came up, but when I tried to click into the TDSSKiller folder, there was no response. 2-clicking on any icon had no response. I powered down and booted into SAFE Admin to write this and send it off.

I have modifed the names of the log files by inserting a sequence code at the beginning of the file names to ease tracking the execution sequence.

In my first attempt to post my reply, the website refused my upload saying it was too long. The TDSSKiller log files are fairly long and I have included 2 sets. I will remove the last set, leaving the references to them. That way, if you would like to see them, too I can upload them in response to your request.

My second attempt to upload is still too long. Is that the same as too large? If so, I don't understand, because next to the "Attach this file" button it says I have used 782.18K of my 10Mb global upload quota, with the maximum single file size being 9.24Mb. The JPGs are 158.45 Kb, 163.48 Kb, & 168.94 Kb, t2.otaling 490.87, which when subtracted from the 782.18 Kb, gives 291.31 Kb! That's @ .8 Mb, nowhere close to 10 Mb. Never-the-less, I'll remove some more log file results - that of the second mbam scan.

Third attempt. Now, I'll remove the JPGs.

Fourth Attempt. I'll remove the 2nd TDSSKiller log,

Freddy02

++++++++++++++++++++++++++++++ LOG FILE POSTINGS ++++++++++++++++++++++++++++

============ mbam log-file {01) mbam-log-2011-12-05 (05-08-16).txt} ============

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8314

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.7601.17514

12/5/2011 5:08:33 AM

mbam-log-2011-12-05 (05-08-16).txt

Scan type: Full scan (C:\|E:\|F:\|)

Objects scanned: 716897

Time elapsed: 1 hour(s), 2 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open

\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Strider\AppData\Local

\loy.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No

action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Strider\AppData\Local\loy.exe (Trojan.FakeAlert) -> No action taken.

c:\Users\Strider\AppData\Local\Temp\eib.dll (Trojan.FakeAlert) -> No action taken.

c:\Users\Strider\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> No action taken.

c:\Users\Strider\AppData\Local\Temp\xwbrqdsofl (Trojan.FakeAlert) -> No action taken.

c:\Users\Strider\AppData\LocalLow\Sun\Java\deployment\cache\6.0\0\433baf00-451ace23

(Trojan.FakeAlert) -> No action taken.

c:\Users\Strider\Desktop\zip drive backups\16 gb (bill's)\bill (3.68 gb)\- ; progs to check out

\Others 6\amawat25.exe (Adware.BargainBuddy) -> No action taken.

c:\Users\Strider\Desktop\zip drive backups\16 gb (bill's)\bill (3.68 gb)\- ; progs to check out

\Others 6\oclife25.exe (Adware.BargainBuddy) -> No action taken.

c:\Users\Strider\documents\lmv3xxd63.exe (Trojan.FakeAlert) -> No action taken.

============ Webroot 'log' files {02e-g) Webroot Scan Results.jpg} ============

02e) Webroot Scan Results.jpg ..... Removed

02f) Webroot Scan Results.jpg ..... Removed

02g) Webroot Scan Results.jpg ..... Removed

============ mbam log-file {03) mbam-log-2011-12-06 (18-26-59).txt} ============

..... Removed

============ TDSSKiller log-files {04a) (mode, user) TDSSKiller ... _log.txt} ============

20:20:46.0552 1620 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31

20:20:47.0005 1620 ============================================================

20:20:47.0005 1620 Current date / time: 2011/12/13 20:20:47.0005

20:20:47.0005 1620 SystemInfo:

20:20:47.0005 1620

20:20:47.0005 1620 OS Version: 6.1.7601 ServicePack: 1.0

20:20:47.0005 1620 Product type: Workstation

20:20:47.0005 1620 ComputerName: ZXXXY

20:20:47.0005 1620 UserName: Bill

20:20:47.0005 1620 Windows directory: C:\Windows

20:20:47.0005 1620 System windows directory: C:\Windows

20:20:47.0005 1620 Running under WOW64

20:20:47.0005 1620 Processor architecture: Intel x64

20:20:47.0005 1620 Number of processors: 4

20:20:47.0005 1620 Page size: 0x1000

20:20:47.0005 1620 Boot type: Safe boot with network

20:20:47.0005 1620 ============================================================

20:20:47.0301 1620 Initialize success

20:21:14.0320 1340 ============================================================

20:21:14.0320 1340 Scan started

20:21:14.0320 1340 Mode: Manual;

20:21:14.0320 1340 ============================================================

20:21:14.0554 1340 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows

\system32\drivers\1394ohci.sys

20:21:14.0554 1340 1394ohci - ok

20:21:14.0617 1340 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows

\system32\drivers\ACPI.sys

20:21:14.0617 1340 ACPI - ok

20:21:14.0710 1340 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows

\system32\drivers\acpipmi.sys

20:21:14.0710 1340 AcpiPmi - ok

20:21:14.0757 1340 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows

\system32\DRIVERS\adp94xx.sys

20:21:14.0773 1340 adp94xx - ok

20:21:14.0882 1340 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows

\system32\DRIVERS\adpahci.sys

20:21:14.0882 1340 adpahci - ok

20:21:14.0960 1340 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows

\system32\DRIVERS\adpu320.sys

20:21:14.0976 1340 adpu320 - ok

20:21:15.0100 1340 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows

\system32\drivers\afd.sys

20:21:15.0116 1340 AFD - ok

20:21:15.0163 1340 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows

\system32\drivers\agp440.sys

20:21:15.0163 1340 agp440 - ok

20:21:15.0241 1340 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows

\system32\drivers\aliide.sys

20:21:15.0241 1340 aliide - ok

20:21:15.0303 1340 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows

\system32\drivers\amdide.sys

20:21:15.0303 1340 amdide - ok

20:21:15.0366 1340 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows

\system32\DRIVERS\amdk8.sys

20:21:15.0381 1340 AmdK8 - ok

20:21:15.0397 1340 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows

\system32\DRIVERS\amdppm.sys

20:21:15.0397 1340 AmdPPM - ok

20:21:15.0459 1340 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows

\system32\drivers\amdsata.sys

20:21:15.0459 1340 amdsata - ok

20:21:15.0537 1340 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows

\system32\DRIVERS\amdsbs.sys

20:21:15.0553 1340 amdsbs - ok

20:21:15.0646 1340 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows

\system32\drivers\amdxata.sys

20:21:15.0646 1340 amdxata - ok

20:21:15.0709 1340 AppID (89a69c3f2f319b43379399547526d952) C:\Windows

\system32\drivers\appid.sys

20:21:15.0724 1340 AppID - ok

20:21:15.0834 1340 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows

\system32\DRIVERS\arc.sys

20:21:15.0834 1340 arc - ok

20:21:15.0849 1340 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows

\system32\DRIVERS\arcsas.sys

20:21:15.0849 1340 arcsas - ok

20:21:15.0896 1340 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows

\system32\DRIVERS\asyncmac.sys

20:21:15.0896 1340 AsyncMac - ok

20:21:16.0005 1340 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows

\system32\drivers\atapi.sys

20:21:16.0005 1340 atapi - ok

20:21:16.0146 1340 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows

\system32\DRIVERS\bxvbda.sys

20:21:16.0146 1340 b06bdrv - ok

20:21:16.0270 1340 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows

\system32\DRIVERS\b57nd60a.sys

20:21:16.0270 1340 b57nd60a - ok

20:21:16.0426 1340 BCM43XX (8b5d16d20774fc3727f44e161be2c0ac) C:\Windows

\system32\DRIVERS\bcmwl664.sys

20:21:16.0426 1340 BCM43XX - ok

20:21:16.0520 1340 BcmVWL (d224b2e6bb543f1d8f1177d57fec2950) C:\Windows

\system32\DRIVERS\bcmvwl64.sys

20:21:16.0520 1340 BcmVWL - ok

20:21:16.0614 1340 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows

\system32\drivers\Beep.sys

20:21:16.0614 1340 Beep - ok

20:21:16.0645 1340 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows

\system32\DRIVERS\blbdrive.sys

20:21:16.0660 1340 blbdrive - ok

20:21:16.0801 1340 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows

\system32\DRIVERS\bowser.sys

20:21:16.0801 1340 bowser - ok

20:21:16.0848 1340 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows

\system32\DRIVERS\BrFiltLo.sys

20:21:16.0848 1340 BrFiltLo - ok

20:21:16.0910 1340 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows

\system32\DRIVERS\BrFiltUp.sys

20:21:16.0910 1340 BrFiltUp - ok

20:21:16.0941 1340 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows

\System32\Drivers\Brserid.sys

20:21:16.0957 1340 Brserid - ok

20:21:16.0972 1340 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows

\System32\Drivers\BrSerWdm.sys

20:21:16.0972 1340 BrSerWdm - ok

20:21:17.0019 1340 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows

\System32\Drivers\BrUsbMdm.sys

20:21:17.0019 1340 BrUsbMdm - ok

20:21:17.0050 1340 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows

\System32\Drivers\BrUsbSer.sys

20:21:17.0050 1340 BrUsbSer - ok

20:21:17.0097 1340 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows

\system32\DRIVERS\bthmodem.sys

20:21:17.0097 1340 BTHMODEM - ok

20:21:17.0175 1340 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows

\system32\DRIVERS\cdfs.sys

20:21:17.0191 1340 cdfs - ok

20:21:17.0300 1340 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows

\system32\drivers\cdrom.sys

20:21:17.0316 1340 cdrom - ok

20:21:17.0409 1340 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows

\system32\DRIVERS\circlass.sys

20:21:17.0409 1340 circlass - ok

20:21:17.0440 1340 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows

\system32\CLFS.sys

20:21:17.0456 1340 CLFS - ok

20:21:17.0581 1340 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows

\system32\DRIVERS\CmBatt.sys

20:21:17.0581 1340 CmBatt - ok

20:21:17.0612 1340 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows

\system32\drivers\cmdide.sys

20:21:17.0612 1340 cmdide - ok

20:21:17.0674 1340 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows

\system32\Drivers\cng.sys

20:21:17.0674 1340 CNG - ok

20:21:17.0784 1340 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows

\system32\DRIVERS\compbatt.sys

20:21:17.0784 1340 Compbatt - ok

20:21:17.0830 1340 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows

\system32\drivers\CompositeBus.sys

20:21:17.0830 1340 CompositeBus - ok

20:21:17.0924 1340 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows

\system32\DRIVERS\crcdisk.sys

20:21:17.0924 1340 crcdisk - ok

20:21:18.0002 1340 CtClsFlt (fbe228abeab2be13b9c3a3a112d4d8dc) C:\Windows

\system32\DRIVERS\CtClsFlt.sys

20:21:18.0018 1340 CtClsFlt - ok

20:21:18.0127 1340 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows

\system32\Drivers\dfsc.sys

20:21:18.0127 1340 DfsC - ok

20:21:18.0174 1340 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows

\system32\drivers\discache.sys

20:21:18.0189 1340 discache - ok

20:21:18.0283 1340 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows

\system32\DRIVERS\disk.sys

20:21:18.0283 1340 Disk - ok

20:21:18.0408 1340 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows

\system32\drivers\drmkaud.sys

20:21:18.0408 1340 drmkaud - ok

20:21:18.0486 1340 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows

\System32\drivers\dxgkrnl.sys

20:21:18.0501 1340 DXGKrnl - ok

20:21:18.0642 1340 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows

\system32\DRIVERS\evbda.sys

20:21:18.0813 1340 ebdrv - ok

20:21:18.0954 1340 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows

\system32\DRIVERS\elxstor.sys

20:21:18.0969 1340 elxstor - ok

20:21:19.0000 1340 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows

\system32\drivers\errdev.sys

20:21:19.0000 1340 ErrDev - ok

20:21:19.0063 1340 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows

\system32\drivers\exfat.sys

20:21:19.0063 1340 exfat - ok

20:21:19.0172 1340 F-Secure Filter (872a4de096f1b4b5d0cdfa369abf9388) C:\Program Files

(x86)\F-Secure\Anti-Virus\Win2K\FSfilter.sys

20:21:19.0172 1340 F-Secure Filter - ok

20:21:19.0203 1340 F-Secure Gatekeeper (b0828e57f64688495b66ee736c36db92) C:\Program

Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys

20:21:19.0203 1340 F-Secure Gatekeeper - ok

20:21:19.0266 1340 F-Secure HIPS (1c8ab0d7d5451c58962940539f913473) C:\Program Files

(x86)\F-Secure\HIPS\drivers\fshs.sys

20:21:19.0266 1340 F-Secure HIPS - ok

20:21:19.0297 1340 F-Secure Recognizer (504f83be6d94346e5288fc5881a38a9b) C:\Program

Files (x86)\F-Secure\Anti-Virus\Win2K\FSrec.sys

20:21:19.0297 1340 F-Secure Recognizer - ok

20:21:19.0390 1340 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows

\system32\drivers\fastfat.sys

20:21:19.0390 1340 fastfat - ok

20:21:19.0422 1340 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows

\system32\DRIVERS\fdc.sys

20:21:19.0422 1340 fdc - ok

20:21:19.0468 1340 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows

\system32\drivers\fileinfo.sys

20:21:19.0484 1340 FileInfo - ok

20:21:19.0484 1340 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows

\system32\drivers\filetrace.sys

20:21:19.0484 1340 Filetrace - ok

20:21:19.0515 1340 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows

\system32\DRIVERS\flpydisk.sys

20:21:19.0515 1340 flpydisk - ok

20:21:19.0562 1340 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows

\system32\drivers\fltmgr.sys

20:21:19.0578 1340 FltMgr - ok

20:21:19.0609 1340 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows

\system32\drivers\FsDepends.sys

20:21:19.0609 1340 FsDepends - ok

20:21:19.0656 1340 FSES (81491719ad2f5bb3563334f87c82f734) C:\Windows

\system32\drivers\fses.sys

20:21:19.0656 1340 FSES - ok

20:21:19.0671 1340 FSFW (b5b3d6eb4f40abfc4f28be0e5b5538e5) C:\Windows

\system32\drivers\fsdfw.sys

20:21:19.0671 1340 FSFW - ok

20:21:19.0718 1340 fssfltr (6c06701bf1db05405804d7eb610991ce) C:\Windows

\system32\DRIVERS\fssfltr.sys

20:21:19.0718 1340 fssfltr - ok

20:21:19.0827 1340 fsvista (8a920e6cff3163c843c06e14cf787bd8) C:\Program Files

(x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys

20:21:19.0827 1340 fsvista - ok

20:21:19.0921 1340 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows

\system32\drivers\Fs_Rec.sys

20:21:19.0921 1340 Fs_Rec - ok

20:21:19.0968 1340 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows

\system32\DRIVERS\fvevol.sys

20:21:19.0968 1340 fvevol - ok

20:21:19.0999 1340 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows

\system32\DRIVERS\gagp30kx.sys

20:21:19.0999 1340 gagp30kx - ok

20:21:20.0077 1340 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows

\system32\DRIVERS\GEARAspiWDM.sys

20:21:20.0077 1340 GEARAspiWDM - ok

20:21:20.0108 1340 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows

\system32\drivers\hcw85cir.sys

20:21:20.0108 1340 hcw85cir - ok

20:21:20.0170 1340 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows

\system32\drivers\HDAudBus.sys

20:21:20.0170 1340 HDAudBus - ok

20:21:20.0202 1340 HECIx64 (b6ac71aaa2b10848f57fc49d55a651af) C:\Windows

\system32\DRIVERS\HECIx64.sys

20:21:20.0202 1340 HECIx64 - ok

20:21:20.0233 1340 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows

\system32\DRIVERS\HidBatt.sys

20:21:20.0233 1340 HidBatt - ok

20:21:20.0248 1340 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows

\system32\DRIVERS\hidbth.sys

20:21:20.0264 1340 HidBth - ok

20:21:20.0295 1340 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows

\system32\DRIVERS\hidir.sys

20:21:20.0295 1340 HidIr - ok

20:21:20.0389 1340 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows

\system32\drivers\hidusb.sys

20:21:20.0389 1340 HidUsb - ok

20:21:20.0467 1340 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows

\system32\drivers\HpSAMD.sys

20:21:20.0467 1340 HpSAMD - ok

20:21:20.0576 1340 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows

\system32\drivers\HTTP.sys

20:21:20.0607 1340 HTTP - ok

20:21:20.0654 1340 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows

\system32\drivers\hwpolicy.sys

20:21:20.0654 1340 hwpolicy - ok

20:21:20.0748 1340 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows

\system32\drivers\i8042prt.sys

20:21:20.0748 1340 i8042prt - ok

20:21:20.0794 1340 iaStor (abbf174cb394f5c437410a788b7e404a) C:\Windows

\system32\DRIVERS\iaStor.sys

20:21:20.0810 1340 iaStor - ok

20:21:20.0904 1340 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows

\system32\drivers\iaStorV.sys

20:21:20.0904 1340 iaStorV - ok

20:21:21.0106 1340 igfx (31569a2e836c12014148bf7342716946) C:\Windows

\system32\DRIVERS\igdkmd64.sys

20:21:21.0294 1340 igfx - ok

20:21:21.0372 1340 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows

\system32\DRIVERS\iirsp.sys

20:21:21.0387 1340 iirsp - ok

20:21:21.0418 1340 Impcd (dd587a55390ed2295bce6d36ad567da9) C:\Windows

\system32\DRIVERS\Impcd.sys

20:21:21.0418 1340 Impcd - ok

20:21:21.0496 1340 IntcAzAudAddService (6e4ccb3aff07e2b9f2a937385c84b573) C:\Windows

\system32\drivers\RTKVHD64.sys

20:21:21.0559 1340 IntcAzAudAddService - ok

20:21:21.0668 1340 IntcDAud (03c74719d48056a1078f3a51ceb76baa) C:\Windows

\system32\DRIVERS\IntcDAud.sys

20:21:21.0668 1340 IntcDAud - ok

20:21:21.0699 1340 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows

\system32\drivers\intelide.sys

20:21:21.0699 1340 intelide - ok

20:21:21.0746 1340 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows

\system32\DRIVERS\intelppm.sys

20:21:21.0746 1340 intelppm - ok

20:21:21.0886 1340 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows

\system32\DRIVERS\ipfltdrv.sys

20:21:21.0886 1340 IpFilterDriver - ok

20:21:21.0918 1340 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows

\system32\drivers\IPMIDrv.sys

20:21:21.0933 1340 IPMIDRV - ok

20:21:21.0996 1340 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows

\system32\drivers\ipnat.sys

20:21:21.0996 1340 IPNAT - ok

20:21:22.0042 1340 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows

\system32\drivers\irenum.sys

20:21:22.0042 1340 IRENUM - ok

20:21:22.0074 1340 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows

\system32\drivers\isapnp.sys

20:21:22.0074 1340 isapnp - ok

20:21:22.0136 1340 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows

\system32\drivers\msiscsi.sys

20:21:22.0136 1340 iScsiPrt - ok

20:21:22.0183 1340 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows

\system32\drivers\kbdclass.sys

20:21:22.0183 1340 kbdclass - ok

20:21:22.0230 1340 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows

\system32\drivers\kbdhid.sys

20:21:22.0230 1340 kbdhid - ok

20:21:22.0292 1340 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows

\system32\Drivers\ksecdd.sys

20:21:22.0292 1340 KSecDD - ok

20:21:22.0339 1340 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows

\system32\Drivers\ksecpkg.sys

20:21:22.0339 1340 KSecPkg - ok

20:21:22.0370 1340 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows

\system32\drivers\ksthunk.sys

20:21:22.0370 1340 ksthunk - ok

20:21:22.0464 1340 L1C (39918db0efcf045a1ce6fabbf339f975) C:\Windows

\system32\DRIVERS\L1C62x64.sys

20:21:22.0464 1340 L1C - ok

20:21:22.0526 1340 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows

\system32\DRIVERS\lltdio.sys

20:21:22.0526 1340 lltdio - ok

20:21:22.0682 1340 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows

\system32\DRIVERS\lsi_fc.sys

20:21:22.0682 1340 LSI_FC - ok

20:21:22.0713 1340 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows

\system32\DRIVERS\lsi_sas.sys

20:21:22.0713 1340 LSI_SAS - ok

20:21:22.0744 1340 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows

\system32\DRIVERS\lsi_sas2.sys

20:21:22.0744 1340 LSI_SAS2 - ok

20:21:22.0791 1340 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows

\system32\DRIVERS\lsi_scsi.sys

20:21:22.0791 1340 LSI_SCSI - ok

20:21:22.0807 1340 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows

\system32\drivers\luafv.sys

20:21:22.0822 1340 luafv - ok

20:21:22.0932 1340 MBAMProtector (23a854450dab5c9b7a42ab9be6f2e4bd) C:\Windows

\system32\drivers\mbam.sys

20:21:22.0932 1340 MBAMProtector - ok

20:21:22.0978 1340 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows

\system32\DRIVERS\megasas.sys

20:21:22.0978 1340 megasas - ok

20:21:22.0994 1340 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows

\system32\DRIVERS\MegaSR.sys

20:21:23.0010 1340 MegaSR - ok

20:21:23.0025 1340 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows

\system32\drivers\modem.sys

20:21:23.0025 1340 Modem - ok

20:21:23.0088 1340 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows

\system32\DRIVERS\monitor.sys

20:21:23.0088 1340 monitor - ok

20:21:23.0134 1340 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows

\system32\drivers\mouclass.sys

20:21:23.0134 1340 mouclass - ok

20:21:23.0212 1340 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows

\system32\DRIVERS\mouhid.sys

20:21:23.0228 1340 mouhid - ok

20:21:23.0290 1340 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows

\system32\drivers\mountmgr.sys

20:21:23.0290 1340 mountmgr - ok

20:21:23.0322 1340 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows

\system32\drivers\mpio.sys

20:21:23.0322 1340 mpio - ok

20:21:23.0400 1340 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows

\system32\drivers\mpsdrv.sys

20:21:23.0400 1340 mpsdrv - ok

20:21:23.0446 1340 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows

\system32\drivers\mrxdav.sys

20:21:23.0446 1340 MRxDAV - ok

20:21:23.0493 1340 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows

\system32\DRIVERS\mrxsmb.sys

20:21:23.0493 1340 mrxsmb - ok

20:21:23.0556 1340 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows

\system32\DRIVERS\mrxsmb10.sys

20:21:23.0556 1340 mrxsmb10 - ok

20:21:23.0602 1340 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows

\system32\DRIVERS\mrxsmb20.sys

20:21:23.0602 1340 mrxsmb20 - ok

20:21:23.0649 1340 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows

\system32\drivers\msahci.sys

20:21:23.0665 1340 msahci - ok

20:21:23.0727 1340 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows

\system32\drivers\msdsm.sys

20:21:23.0727 1340 msdsm - ok

20:21:23.0821 1340 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows

\system32\drivers\Msfs.sys

20:21:23.0821 1340 Msfs - ok

20:21:23.0883 1340 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows

\System32\drivers\mshidkmdf.sys

20:21:23.0883 1340 mshidkmdf - ok

20:21:23.0930 1340 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows

\system32\drivers\msisadrv.sys

20:21:23.0930 1340 msisadrv - ok

20:21:24.0039 1340 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows

\system32\drivers\MSKSSRV.sys

20:21:24.0039 1340 MSKSSRV - ok

20:21:24.0117 1340 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows

\system32\drivers\MSPCLOCK.sys

20:21:24.0117 1340 MSPCLOCK - ok

20:21:24.0148 1340 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows

\system32\drivers\MSPQM.sys

20:21:24.0148 1340 MSPQM - ok

20:21:24.0195 1340 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows

\system32\drivers\MsRPC.sys

20:21:24.0211 1340 MsRPC - ok

20:21:24.0258 1340 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows

\system32\drivers\mssmbios.sys

20:21:24.0258 1340 mssmbios - ok

20:21:24.0289 1340 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows

\system32\drivers\MSTEE.sys

20:21:24.0289 1340 MSTEE - ok

20:21:24.0320 1340 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows

\system32\DRIVERS\MTConfig.sys

20:21:24.0320 1340 MTConfig - ok

20:21:24.0351 1340 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows

\system32\Drivers\mup.sys

20:21:24.0351 1340 Mup - ok

20:21:24.0460 1340 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows

\system32\DRIVERS\nwifi.sys

20:21:24.0460 1340 NativeWifiP - ok

20:21:24.0523 1340 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows

\system32\drivers\ndis.sys

20:21:24.0554 1340 NDIS - ok

20:21:24.0648 1340 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows

\system32\DRIVERS\ndiscap.sys

20:21:24.0648 1340 NdisCap - ok

20:21:24.0679 1340 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows

\system32\DRIVERS\ndistapi.sys

20:21:24.0679 1340 NdisTapi - ok

20:21:24.0772 1340 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows

\system32\DRIVERS\ndisuio.sys

20:21:24.0772 1340 Ndisuio - ok

20:21:24.0804 1340 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows

\system32\DRIVERS\ndiswan.sys

20:21:24.0804 1340 NdisWan - ok

20:21:24.0850 1340 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows

\system32\drivers\NDProxy.sys

20:21:24.0850 1340 NDProxy - ok

20:21:24.0897 1340 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows

\system32\DRIVERS\netbios.sys

20:21:24.0897 1340 NetBIOS - ok

20:21:24.0944 1340 NetBT (09594d1089c523423b32a4229263f068) C:\Windows

\system32\DRIVERS\netbt.sys

20:21:24.0944 1340 NetBT - ok

20:21:24.0991 1340 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows

\system32\DRIVERS\nfrd960.sys

20:21:24.0991 1340 nfrd960 - ok

20:21:25.0053 1340 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows

\system32\drivers\Npfs.sys

20:21:25.0069 1340 Npfs - ok

20:21:25.0131 1340 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows

\system32\drivers\nsiproxy.sys

20:21:25.0131 1340 nsiproxy - ok

20:21:25.0194 1340 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows

\system32\drivers\Ntfs.sys

20:21:25.0256 1340 Ntfs - ok

20:21:25.0287 1340 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows

\system32\drivers\Null.sys

20:21:25.0287 1340 Null - ok

20:21:25.0350 1340 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows

\system32\drivers\nvraid.sys

20:21:25.0350 1340 nvraid - ok

20:21:25.0396 1340 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows

\system32\drivers\nvstor.sys

20:21:25.0396 1340 nvstor - ok

20:21:25.0443 1340 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows

\system32\drivers\nv_agp.sys

20:21:25.0443 1340 nv_agp - ok

20:21:25.0490 1340 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows

\system32\drivers\ohci1394.sys

20:21:25.0490 1340 ohci1394 - ok

20:21:25.0599 1340 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows

\system32\DRIVERS\parport.sys

20:21:25.0599 1340 Parport - ok

20:21:25.0646 1340 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows

\system32\drivers\partmgr.sys

20:21:25.0646 1340 partmgr - ok

20:21:25.0693 1340 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows

\system32\drivers\pci.sys

20:21:25.0708 1340 pci - ok

20:21:25.0724 1340 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows

\system32\drivers\pciide.sys

20:21:25.0724 1340 pciide - ok

20:21:25.0786 1340 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows

\system32\DRIVERS\pcmcia.sys

20:21:25.0786 1340 pcmcia - ok

20:21:25.0802 1340 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows

\system32\drivers\pcw.sys

20:21:25.0802 1340 pcw - ok

20:21:25.0833 1340 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows

\system32\drivers\peauth.sys

20:21:25.0849 1340 PEAUTH - ok

20:21:26.0020 1340 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows

\system32\DRIVERS\raspptp.sys

20:21:26.0020 1340 PptpMiniport - ok

20:21:26.0052 1340 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows

\system32\DRIVERS\processr.sys

20:21:26.0052 1340 Processor - ok

20:21:26.0098 1340 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows

\system32\DRIVERS\pacer.sys

20:21:26.0114 1340 Psched - ok

20:21:26.0145 1340 PxHlpa64 (4712cc14e720ecccc0aa16949d18aaf1) C:\Windows

\system32\Drivers\PxHlpa64.sys

20:21:26.0145 1340 PxHlpa64 - ok

20:21:26.0208 1340 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows

\system32\DRIVERS\ql2300.sys

20:21:26.0239 1340 ql2300 - ok

20:21:26.0270 1340 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows

\system32\DRIVERS\ql40xx.sys

20:21:26.0270 1340 ql40xx - ok

20:21:26.0301 1340 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows

\system32\drivers\qwavedrv.sys

20:21:26.0301 1340 QWAVEdrv - ok

20:21:26.0332 1340 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows

\system32\DRIVERS\rasacd.sys

20:21:26.0332 1340 RasAcd - ok

20:21:26.0364 1340 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows

\system32\DRIVERS\AgileVpn.sys

20:21:26.0364 1340 RasAgileVpn - ok

20:21:26.0457 1340 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows

\system32\DRIVERS\rasl2tp.sys

20:21:26.0457 1340 Rasl2tp - ok

20:21:26.0535 1340 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows

\system32\DRIVERS\raspppoe.sys

20:21:26.0535 1340 RasPppoe - ok

20:21:26.0551 1340 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows

\system32\DRIVERS\rassstp.sys

20:21:26.0566 1340 RasSstp - ok

20:21:26.0613 1340 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows

\system32\DRIVERS\rdbss.sys

20:21:26.0613 1340 rdbss - ok

20:21:26.0660 1340 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows

\system32\DRIVERS\rdpbus.sys

20:21:26.0660 1340 rdpbus - ok

20:21:26.0691 1340 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows

\system32\DRIVERS\RDPCDD.sys

20:21:26.0691 1340 RDPCDD - ok

20:21:26.0722 1340 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows

\system32\drivers\rdpencdd.sys

20:21:26.0722 1340 RDPENCDD - ok

20:21:26.0754 1340 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows

\system32\drivers\rdprefmp.sys

20:21:26.0769 1340 RDPREFMP - ok

20:21:26.0800 1340 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows

\system32\drivers\RDPWD.sys

20:21:26.0816 1340 RDPWD - ok

20:21:26.0894 1340 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows

\system32\drivers\rdyboost.sys

20:21:26.0894 1340 rdyboost - ok

20:21:26.0972 1340 RimUsb (7b04c9843921ab1f695fb395422c5360) C:\Windows

\system32\Drivers\RimUsb_AMD64.sys

20:21:26.0972 1340 RimUsb - ok

20:21:27.0003 1340 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows

\system32\DRIVERS\rspndr.sys

20:21:27.0019 1340 rspndr - ok

20:21:27.0050 1340 RSUSBSTOR (22d6b47d004a6568c500680be2972854) C:\Windows

\system32\Drivers\RtsUStor.sys

20:21:27.0050 1340 RSUSBSTOR - ok

20:21:27.0112 1340 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows

\system32\drivers\sbp2port.sys

20:21:27.0112 1340 sbp2port - ok

20:21:27.0237 1340 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows

\system32\DRIVERS\scfilter.sys

20:21:27.0237 1340 scfilter - ok

20:21:27.0315 1340 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows

\system32\drivers\secdrv.sys

20:21:27.0331 1340 secdrv - ok

20:21:27.0362 1340 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows

\system32\DRIVERS\serenum.sys

20:21:27.0362 1340 Serenum - ok

20:21:27.0424 1340 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows

\system32\DRIVERS\serial.sys

20:21:27.0424 1340 Serial - ok

20:21:27.0471 1340 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows

\system32\DRIVERS\sermouse.sys

20:21:27.0471 1340 sermouse - ok

20:21:27.0518 1340 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows

\system32\drivers\sffdisk.sys

20:21:27.0518 1340 sffdisk - ok

20:21:27.0549 1340 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows

\system32\drivers\sffp_mmc.sys

20:21:27.0565 1340 sffp_mmc - ok

20:21:27.0565 1340 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows

\system32\drivers\sffp_sd.sys

20:21:27.0580 1340 sffp_sd - ok

20:21:27.0627 1340 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows

\system32\DRIVERS\sfloppy.sys

20:21:27.0627 1340 sfloppy - ok

20:21:27.0690 1340 Sftfs (a40abfdcb75f835fdf3ce0cc64e4250d) C:\Windows

\system32\DRIVERS\Sftfslh.sys

20:21:27.0705 1340 Sftfs - ok

20:21:27.0768 1340 Sftplay (411769ed1cb12d2b44217734347bdb7a) C:\Windows

\system32\DRIVERS\Sftplaylh.sys

20:21:27.0768 1340 Sftplay - ok

20:21:27.0799 1340 Sftredir (a14d0df34bbb00ea94da16193d0c7957) C:\Windows

\system32\DRIVERS\Sftredirlh.sys

20:21:27.0799 1340 Sftredir - ok

20:21:27.0830 1340 Sftvol (393b22addd89979eb1c60898f51c3648) C:\Windows

\system32\DRIVERS\Sftvollh.sys

20:21:27.0846 1340 Sftvol - ok

20:21:27.0924 1340 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows

\system32\DRIVERS\SiSRaid2.sys

20:21:27.0939 1340 SiSRaid2 - ok

20:21:27.0955 1340 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows

\system32\DRIVERS\sisraid4.sys

20:21:27.0955 1340 SiSRaid4 - ok

20:21:28.0002 1340 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows

\system32\DRIVERS\smb.sys

20:21:28.0002 1340 Smb - ok

20:21:28.0080 1340 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows

\system32\drivers\spldr.sys

20:21:28.0080 1340 spldr - ok

20:21:28.0158 1340 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows

\system32\DRIVERS\srv.sys

20:21:28.0158 1340 srv - ok

20:21:28.0220 1340 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows

\system32\DRIVERS\srv2.sys

20:21:28.0220 1340 srv2 - ok

20:21:28.0282 1340 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows

\system32\DRIVERS\srvnet.sys

20:21:28.0298 1340 srvnet - ok

20:21:28.0329 1340 ssfmonm (a4c4a1fedfbed04b39efae9f1311ed5e) C:\Windows

\system32\DRIVERS\ssfmonm.sys

20:21:28.0345 1340 ssfmonm - ok

20:21:28.0360 1340 ssidrv (1cc88f50bd4e6fd6eac5c5365ceb6583) C:\Windows

\system32\DRIVERS\ssidrv.sys

20:21:28.0360 1340 ssidrv - ok

20:21:28.0376 1340 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows

\system32\DRIVERS\stexstor.sys

20:21:28.0376 1340 stexstor - ok

20:21:28.0454 1340 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows

\system32\drivers\swenum.sys

20:21:28.0454 1340 swenum - ok

20:21:28.0501 1340 SynTP (c25866bdf0e818e02bb8e76845d26e54) C:\Windows

\system32\DRIVERS\SynTP.sys

20:21:28.0501 1340 SynTP - ok

20:21:28.0579 1340 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows

\system32\drivers\tcpip.sys

20:21:28.0626 1340 Tcpip - ok

20:21:28.0719 1340 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows

\system32\DRIVERS\tcpip.sys

20:21:28.0719 1340 TCPIP6 - ok

20:21:28.0782 1340 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows

\system32\drivers\tcpipreg.sys

20:21:28.0782 1340 tcpipreg - ok

20:21:28.0844 1340 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows

\system32\drivers\tdpipe.sys

20:21:28.0860 1340 TDPIPE - ok

20:21:28.0891 1340 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows

\system32\drivers\tdtcp.sys

20:21:28.0906 1340 TDTCP - ok

20:21:28.0953 1340 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows

\system32\DRIVERS\tdx.sys

20:21:28.0953 1340 tdx - ok

20:21:29.0000 1340 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows

\system32\drivers\termdd.sys

20:21:29.0000 1340 TermDD - ok

20:21:29.0094 1340 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows

\system32\DRIVERS\tssecsrv.sys

20:21:29.0094 1340 tssecsrv - ok

20:21:29.0156 1340 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows

\system32\drivers\tsusbflt.sys

20:21:29.0156 1340 TsUsbFlt - ok

20:21:29.0265 1340 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows

\system32\DRIVERS\tunnel.sys

20:21:29.0265 1340 tunnel - ok

20:21:29.0296 1340 TurboB (825e7a1f48fb8bcfba27c178aab4e275) C:\Windows

\system32\DRIVERS\TurboB.sys

20:21:29.0312 1340 TurboB - ok

20:21:29.0343 1340 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows

\system32\DRIVERS\uagp35.sys

20:21:29.0343 1340 uagp35 - ok

20:21:29.0390 1340 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows

\system32\DRIVERS\udfs.sys

20:21:29.0390 1340 udfs - ok

20:21:29.0452 1340 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows

\system32\drivers\uliagpkx.sys

20:21:29.0452 1340 uliagpkx - ok

20:21:29.0546 1340 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows

\system32\drivers\umbus.sys

20:21:29.0546 1340 umbus - ok

20:21:29.0608 1340 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows

\system32\DRIVERS\umpass.sys

20:21:29.0608 1340 UmPass - ok

20:21:29.0686 1340 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows

\system32\Drivers\usbaapl64.sys

20:21:29.0686 1340 USBAAPL64 - ok

20:21:29.0733 1340 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows

\system32\DRIVERS\usbccgp.sys

20:21:29.0733 1340 usbccgp - ok

20:21:29.0780 1340 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows

\system32\drivers\usbcir.sys

20:21:29.0780 1340 usbcir - ok

20:21:29.0827 1340 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows

\system32\drivers\usbehci.sys

20:21:29.0827 1340 usbehci - ok

20:21:29.0858 1340 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows

\system32\DRIVERS\usbhub.sys

20:21:29.0858 1340 usbhub - ok

20:21:29.0905 1340 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows

\system32\drivers\usbohci.sys

20:21:29.0905 1340 usbohci - ok

20:21:29.0952 1340 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows

\system32\DRIVERS\usbprint.sys

20:21:29.0952 1340 usbprint - ok

20:21:29.0983 1340 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows

\system32\DRIVERS\usbscan.sys

20:21:29.0983 1340 usbscan - ok

20:21:30.0030 1340 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows

\system32\drivers\USBSTOR.SYS

20:21:30.0030 1340 USBSTOR - ok

20:21:30.0076 1340 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows

\system32\drivers\usbuhci.sys

20:21:30.0076 1340 usbuhci - ok

20:21:30.0123 1340 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows

\System32\Drivers\usbvideo.sys

20:21:30.0139 1340 usbvideo - ok

20:21:30.0186 1340 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows

\system32\drivers\vdrvroot.sys

20:21:30.0186 1340 vdrvroot - ok

20:21:30.0217 1340 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows

\system32\DRIVERS\vgapnp.sys

20:21:30.0232 1340 vga - ok

20:21:30.0264 1340 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows

\System32\drivers\vga.sys

20:21:30.0264 1340 VgaSave - ok

20:21:30.0310 1340 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows

\system32\drivers\vhdmp.sys

20:21:30.0310 1340 vhdmp - ok

20:21:30.0357 1340 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows

\system32\drivers\viaide.sys

20:21:30.0357 1340 viaide - ok

20:21:30.0373 1340 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows

\system32\drivers\volmgr.sys

20:21:30.0373 1340 volmgr - ok

20:21:30.0420 1340 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows

\system32\drivers\volmgrx.sys

20:21:30.0420 1340 volmgrx - ok

20:21:30.0466 1340 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows

\system32\drivers\volsnap.sys

20:21:30.0466 1340 volsnap - ok

20:21:30.0513 1340 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows

\system32\DRIVERS\vsmraid.sys

20:21:30.0529 1340 vsmraid - ok

20:21:30.0544 1340 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows

\system32\DRIVERS\vwifibus.sys

20:21:30.0544 1340 vwifibus - ok

20:21:30.0576 1340 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows

\system32\DRIVERS\vwififlt.sys

20:21:30.0576 1340 vwififlt - ok

20:21:30.0607 1340 vwifimp (6a638fc4bfddc4d9b186c28c91bd1a01) C:\Windows

\system32\DRIVERS\vwifimp.sys

20:21:30.0607 1340 vwifimp - ok

20:21:30.0638 1340 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows

\system32\DRIVERS\wacompen.sys

20:21:30.0638 1340 WacomPen - ok

20:21:30.0685 1340 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows

\system32\DRIVERS\wanarp.sys

20:21:30.0685 1340 WANARP - ok

20:21:30.0716 1340 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows

\system32\DRIVERS\wanarp.sys

20:21:30.0716 1340 Wanarpv6 - ok

20:21:30.0778 1340 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows

\system32\DRIVERS\wd.sys

20:21:30.0778 1340 Wd - ok

20:21:30.0810 1340 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows

\system32\drivers\Wdf01000.sys

20:21:30.0825 1340 Wdf01000 - ok

20:21:30.0950 1340 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows

\system32\DRIVERS\wfplwf.sys

20:21:30.0950 1340 WfpLwf - ok

20:21:30.0997 1340 WimFltr (b14ef15bd757fa488f9c970eee9c0d35) C:\Windows

\system32\DRIVERS\wimfltr.sys

20:21:30.0997 1340 WimFltr - ok

20:21:31.0012 1340 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows

\system32\drivers\wimmount.sys

20:21:31.0012 1340 WIMMount - ok

20:21:31.0090 1340 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows

\system32\DRIVERS\WinUsb.sys

20:21:31.0090 1340 WinUsb - ok

20:21:31.0200 1340 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows

\system32\drivers\wmiacpi.sys

20:21:31.0200 1340 WmiAcpi - ok

20:21:31.0324 1340 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows

\system32\drivers\ws2ifsl.sys

20:21:31.0324 1340 ws2ifsl - ok

20:21:31.0371 1340 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows

\system32\drivers\WudfPf.sys

20:21:31.0371 1340 WudfPf - ok

20:21:31.0418 1340 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows

\system32\DRIVERS\WUDFRd.sys

20:21:31.0418 1340 WUDFRd - ok

20:21:31.0480 1340 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device

\Harddisk0\DR0

20:21:31.0480 1340 \Device\Harddisk0\DR0 - ok

20:21:31.0496 1340 Boot (0x1200) (79ed531b8aef9bad535b4adefc409b13) \Device

\Harddisk0\DR0\Partition0

20:21:31.0496 1340 \Device\Harddisk0\DR0\Partition0 - ok

20:21:31.0512 1340 Boot (0x1200) (ec7a06e888a1b22ccdee0d0b2ee5ec30) \Device

\Harddisk0\DR0\Partition1

20:21:31.0512 1340 \Device\Harddisk0\DR0\Partition1 - ok

20:21:31.0512 1340 ============================================================

20:21:31.0512 1340 Scan finished

20:21:31.0512 1340 ============================================================

20:21:31.0668 2032 Detected object count: 0

20:21:31.0668 2032 Actual detected object count: 0

20:21:57.0376 1980 Deinitialize success

============ TDSSKiller log-files {04b) (mode, user) TDSSKiller ... _log.txt} ============

..... Removed

============ DDS.txt file {05-1} =============

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK

Internet Explorer: 8.0.7601.17514

Run by Bill at 22:02:44 on 2011-12-13

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5941.5170 [GMT -7:00]

.

AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-

7661FB22889E}

AV: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-

EF24860A2F17}

SP: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-

D456FD8D65AA}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-

4D1380A5C223}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = g.msn.com/USCON/1

uDefault_Page_URL = g.msn.com/USCON/1

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files

(x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files

(x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program

Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} -

C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:

\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:

\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program

Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [RESTART_STICKY_NOTES] "C:\Windows\System32\StikyNot.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader

\Reader_sl.exe"

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central

\WebcamDell2.exe" /mode2

mRun: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support

\AppleSyncNotifier.exe"

mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework

\WRTray.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update

\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware

\mbamgui.exe" /starttray

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support

\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-

Malware\mbam.exe" /runcleanupscript

StartupFolder: C:\Users\Bill\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs

\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\EXIFLA~1.LNK -

C:\Program Files\FinePixViewer\QuickDCF2.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote

\Evernote\EvernoteIE.dll/204

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-

65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-

5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5}

- C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL

Trusted Zone: intuit.com\ttlc

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{C1930B58-E91F-4FBB-A473-48D12EC70B0C} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{C1930B58-E91F-4FBB-A473-48D12EC70B0C}\C696E6B6379737 :

DhcpNameServer = 69.145.232.4 69.144.49.30 69.146.17.3

TCP: Interfaces\{C1930B58-E91F-4FBB-A473-48D12EC70B0C}\E4F626C6560284F6573756 :

DhcpNameServer = 192.168.0.1

TCP: Interfaces\{CE87ECB4-6AA4-4FE1-8CCA-41952F7D3D79} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common

Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi

Express\CoziProtocolHandler.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files

(x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:

\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows

Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files

(x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:

\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-

1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:

\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:

\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:

\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader

\Reader_sl.exe"

mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central

\WebcamDell2.exe" /mode2

mRun-x64: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device

Support\AppleSyncNotifier.exe"

mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun-x64: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework

\WRTray.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update

\jusched.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware

\mbamgui.exe" /starttray

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application

Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes'

Anti-Malware\mbam.exe" /runcleanupscript

IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote

\Evernote\EvernoteIE.dll/204

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows

\system32\Drivers\PxHlpa64.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows

\system32\DRIVERS\vwififlt.sys [?]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot

\Security\Current\plugins\antimalware\AEI.exe [2011-2-24 3997912]

R2 WRConsumerService;Webroot Client Service;C:\Program Files (x86)\Webroot\Security

\Current\Framework\WRConsumerService.exe [2011-9-20 3381184]

R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:

\Windows\system32\DRIVERS\bcmvwl64.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys

--> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows

\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys

--> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S1 F-Secure HIPS;F-Secure HIPS Driver;C:\Program Files (x86)\F-Secure\HIPS\drivers\fshs.sys

[2011-2-23 61960]

S1 FSES;F-Secure Email Scanning Driver;C:\Windows\system32\drivers\fses.sys --> C:\Windows

\system32\drivers\fses.sys [?]

S1 FSFW;F-Secure Firewall Driver;C:\Windows\system32\drivers\fsdfw.sys --> C:\Windows

\system32\drivers\fsdfw.sys [?]

S1 fsvista;F-Secure Vista Support Driver;C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter

\fsvista.sys [2011-2-23 15016]

S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

[2010-12-3 98208]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:

\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:

\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared

\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]

S2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9

155648]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware

\mbamservice.exe [2011-10-15 366152]

S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application

Virtualization Client\sftlist.exe [2010-9-14 508264]

S2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup

\SftService.exe [2010-12-3 689472]

S2 ssfmonm;ssfmonm;C:\Windows\system32\DRIVERS\ssfmonm.sys --> C:\Windows

\system32\DRIVERS\ssfmonm.sys [?]

S2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:

\Windows\system32\DRIVERS\TurboB.sys [?]

S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files

(x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-3 2533400]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS

\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files (x86)\F-Secure\Anti-Virus

\minifilter\fsgk.sys [2011-2-23 194728]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS

\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety

\fsssvc.exe [2010-9-22 1493352]

S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows

\system32\DRIVERS\Impcd.sys [?]

S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:

\Windows\system32\DRIVERS\IntcDAud.sys [?]

S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:

\Windows\system32\drivers\mbam.sys [?]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft

Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers

\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]

S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS

\Sftfslh.sys [?]

S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows

\system32\DRIVERS\Sftplaylh.sys [?]

S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows

\system32\DRIVERS\Sftredirlh.sys [?]

S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows

\system32\DRIVERS\Sftvollh.sys [?]

S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application

Virtualization Client\sftvsa.exe [2010-9-14 219496]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows

\system32\drivers\tsusbflt.sys [?]

S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2

126352]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:

\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat

\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files (x86)\F-Secure\Anti-Virus\win2k

\fsfilter.sys [2011-2-23 41896]

S4 F-Secure Gatekeeper Handler Starter;FSGKHS;C:\Program Files (x86)\F-Secure\Anti-Virus

\fsgk32st.exe [2011-2-23 221864]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files (x86)\F-Secure\Anti-

Virus\win2k\fsrec.sys [2011-2-23 27304]

S4 FSORSPClient;F-Secure ORSP Client;C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe

[2011-2-23 63992]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live

\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-12-04 15:56:08 -------- d-----w- C:\Users\Bill\AppData\Roaming

\Malwarebytes

2011-12-03 00:14:46 8822856 ----a-w- C:\ProgramData\Microsoft\Windows

Defender\Definition Updates\{66F6E6BD-DD67-40C0-9082-41BC5041C06B}\mpengine.dll

2011-12-02 00:58:30 -------- d-----w- C:\Program Files\iTunes

2011-12-02 00:58:30 -------- d-----w- C:\Program Files\iPod

2011-12-02 00:58:30 -------- d-----w- C:\Program Files (x86)\iTunes

.

==================== Find3M ====================

.

2011-12-03 21:08:36 414368 ----a-w- C:\Windows

\SysWow64\FlashPlayerCPLApp.cpl

2011-10-24 20:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2011-10-24 20:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2011-10-06 04:49:03 5197 ----a-w- C:\DetectionData.tmp

2011-10-06 04:49:03 49012 ----a-w- C:\InformationalData.tmp

2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-09-29 04:03:32 3144704 ----a-w- C:\Windows\System32\win32k.sys

.

============= FINISH: 22:03:42.88 ===============

============ TDSSKiller log-files {05-2a) (mode, user) TDSSKiller ... _log.txt} ============

..... Removed

============ TDSSKiller log-files {05-2b) (mode, user) TDSSKiller ... _log.txt} ==========

..... Removed.

++++++++++++++++++++++++++++++++ END of FILE, END of DATA ++++++++++++++++++++++++++

Link to post
Share on other sites

  • Staff

Hi,

Ensure that Word Wrap is off in Notepad.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi Screen317 -

I tried (really hard) to follow your instructions, but it seemed like everything that could mess me up, did. Most everything did not turn out the way all the written instructions and guides implied they should. So, I flew by the seat of my pants (now I know why they had that 'trap-door' on the under-wear - ha!). I'm describing what happened and what I did in some detail in hopes that more light is shed on the problem. If I am running off at the perverbial mouth, please let me know.

Part of executing combofix.exe is reading the instructions on how to execute it. After downloading Combofix.exe, the reader is instructed to insure that all antivirus, antispyware, and firewall programs are disabled. Toward that end, the user is directed to bleepingcomputer.com/forums/topic114351 ("How to Temporarily Disable Your Anti-virus, Firewall and Anti-malware Programs"), which includes directions on how to disable the windows 7 firewall. They begin with "1. Click START and then click CONTROL PANEL; 2. Click SYSTEM AND SECURITY; ...". I was directed to either click CHECK FIREWALL STATUS or TURN WINDOWS FIREWALL ON OR OFF, depending on the setting of "View by". I wasn't able to find any "View by", so that implies checking firewall status, and then under Control Panel Home, clicking on CHECK FIREWALL STATUS.

That's what I did, er, tried to do. CONTROL PANEL - yes. But, it didn't containSYSTEM AND SECURITY - only SYSTEM. Clicking on that, I see Control Panel Home, but NO System and Security and NO Check Firewall Status. Why, I don't know. I can only assume that the firewall is turned off (BIG SURPRISE!!!).

So, I continue disabling the antivirus, etc. programs .... Webroot is not available, neither is Spy Sweeper - because I'm in SAFE MODE?

I have already turned F-Secure off.

How about Windows Defender? Searching CONTROL PANEL for Windows Defender yields nothing. SAFE MODE again?

Continuing, comes Malwarebytes. The instructions begin with "right-click on the icon in the System Tray...." There is nothing there. Attempting to execute Mbam (or any other program) from the START-menu results in a window entitled "Open with". Under the title bar is the phrase, "Choose the program you want to use to open this file:" Under that line is the line, "File: mbam.exe". Under that phrase and within the window is a large display box en-titled "Recommended Programs". Listed is one program - "Adobe Reader 9.1". Under it is the title, "Other Programs", which include Internet Explorer, iTunes, MS Word, Paint, and others, but no mbam. At the bottom is the statement "If the program you want is not in the list oron your computer, you can 'look for the appropriate program on the Web'.

That is totally bogus behavior and I attribute it to whatever it was that took over my laptop.

I tried rebooting into 'Un-safe' Administrator to try these techniques again, but when it came up, there was NO START WITH WINDOWS box under General Settings on the PROTECTION TAB. That figures!

None of these seemed to exist, so I decided to xeq Combofix, but noticed that the laptop had locked up before I could. Powered down.

Booted into Unsafe Admin again. Welcome screen, but never got to the login screen. Powered down.

Booted into SAFE Admin. Restarted into Unsafe Admin and xeq'd Combofix. Extracted files, but then detected Webroot with Spy Sweeper running. Combofix wanted me to halt it before continuing. It wouldn't allow me to halt Combofix. I tried (several times) but it wouldn't let me. I found out later that that capability was not built into the verion I have. The system seemed unresponsive, then a Malwarebytes error message appeared saying, "[OPEN EVENT] Failed to perform desired action.Error code 2.". Clicked OK and waited - no response, couldn't Shut down, so I powered down.

Booted to SAFE Admin. Rebooted to Unsafe Admin. System hung. Powered down. Booted to SAFE Admin. Rebooted to Unsafe Admin. Selected Admin icon, typed PW. System hangs before desktop appears so, back to SAFE Admin.

Ran Combofix. halts with message about Webroot running (as before). Tried different ways to disable Webroot, but Combofix kept finding it. Finally, I uninstalled Webroot. Rebooting and re-xeq'ing Combofix - and it found Webroot - again ... even after it had been uninstalled!! Rebooted and xeq'd Combofix. It found Webroot again! Decided to ignore the warning and continue. Combofix ran to completion. The log file follows.

Xeq'd dds.scr. It's log follows the Combofix log, below.

I'm uploading all this from SAFE Admin.

++++++++++++++++++++++++++++++ LOG FILE POSTINGS ++++++++++++++++++++++++++++

=========================== Combofix Log file ===============================

ComboFix 11-12-19.03 - Bill 12/20/2011 3:52.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5941.4468 [GMT -7:00]

Running from: c:\users\Bill\Desktop\ComboFix.exe

AV: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}

AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}

SP: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}

SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Strider\Documents\DPE.DUS

c:\users\Strider\Documents\xcopy.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))

.

.

2011-12-20 10:58 . 2011-12-20 10:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-20 10:35 . 2011-12-20 10:35 -------- d-----w- c:\users\Bill\AppData\Local\PackageAware

2011-12-18 05:22 . 2011-12-18 05:22 -------- d-----w- c:\program files (x86)\MSECache

2011-12-15 23:32 . 2011-12-15 23:32 -------- d-----w- c:\users\Bill\AppData\Roaming\IrfanView

2011-12-15 23:32 . 2011-12-15 23:32 -------- d-----w- c:\program files (x86)\IrfanView

2011-12-13 16:19 . 2011-12-14 14:54 -------- d-----w- C:\- - Malwarebytes Misc (fr USD Sata)

2011-12-08 10:04 . 2011-12-08 10:04 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2011-12-04 15:56 . 2011-12-04 15:56 -------- d-----w- c:\users\Bill\AppData\Roaming\Malwarebytes

2011-12-03 00:14 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66F6E6BD-DD67-40C0-9082-41BC5041C06B}\mpengine.dll

2011-12-02 00:58 . 2011-12-02 00:59 -------- d-----w- c:\program files\iTunes

2011-12-02 00:58 . 2011-12-02 00:59 -------- d-----w- c:\program files (x86)\iTunes

2011-12-02 00:58 . 2011-12-02 00:58 -------- d-----w- c:\program files\iPod

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-03 21:08 . 2011-06-24 02:46 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-25 01:32 . 2011-10-18 08:31 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll

2011-10-25 01:32 . 2011-10-18 08:30 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll

2011-10-25 01:32 . 2011-10-18 08:30 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2011-10-25 01:32 . 2011-09-21 22:11 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2011-10-22 08:18 . 2011-09-21 22:12 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll

2011-10-22 08:18 . 2011-09-21 22:12 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2011-10-22 08:18 . 2011-09-21 22:11 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll

2011-10-18 08:30 . 2011-10-18 08:30 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll

2011-10-06 04:49 . 2011-10-06 04:49 5197 ----a-w- C:\DetectionData.tmp

2011-10-06 04:49 . 2011-10-06 04:49 49012 ----a-w- C:\InformationalData.tmp

2011-10-01 03:25 . 2011-10-13 05:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-01 02:42 . 2011-10-13 05:51 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-09-29 16:29 . 2011-11-09 02:19 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-09-29 04:03 . 2011-11-09 02:19 3144704 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-20 487562]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-12-16 498160]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]

.

c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2011-7-30 294912]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [2011-02-23 194728]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 F-Secure Filter;F-Secure File System Filter;c:\program files (x86)\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2011-02-23 41896]

R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files (x86)\F-Secure\Anti-Virus\Win2K\FSrec.sys [2011-02-23 27304]

R4 FSORSPClient;F-Secure ORSP Client;c:\program files (x86)\F-Secure\ORSP Client\fsorsp.exe [2011-02-23 63992]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files (x86)\F-Secure\HIPS\drivers\fshs.sys [2011-02-23 61960]

S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [x]

S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [x]

S1 fsvista;F-Secure Vista Support Driver;c:\program files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [2011-02-23 15016]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]

S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [x]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-20 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]

.

2011-12-20 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-14 10144288]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]

"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2010-04-06 3203440]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = g.msn.com/USCON/1

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105

IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204

LSP: c:\program files (x86)\F-Secure\FSPS\program\FSLSP.DLL

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

SafeBoot-mcmscsvc

SafeBoot-MCODS

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-12-20 04:00:26

ComboFix-quarantined-files.txt 2011-12-20 11:00

.

Pre-Run: 439,703,302,144 bytes free

Post-Run: 440,374,124,544 bytes free

.

- - End Of File - - AE261AD1E3AB06C9C08DA99315106D1A

=========================== dds.scr Log file ===============================

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by Bill at 4:07:32 on 2011-12-20

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5941.4195 [GMT -7:00]

.

AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}

AV: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}

SP: F-Secure Anti-Virus 2011 10.51 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Windows\System32\StikyNot.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = g.msn.com/USCON/1

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"

mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

StartupFolder: C:\Users\Bill\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\EXIFLA~1.LNK - C:\Program Files\FinePixViewer\QuickDCF2.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: C:\Program Files (x86)\F-Secure\FSPS\program\FSLSP.DLL

Trusted Zone: intuit.com\ttlc

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{C1930B58-E91F-4FBB-A473-48D12EC70B0C} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{C1930B58-E91F-4FBB-A473-48D12EC70B0C}\C696E6B6379737 : DhcpNameServer = 69.145.232.4 69.144.49.30 69.146.17.3

TCP: Interfaces\{C1930B58-E91F-4FBB-A473-48D12EC70B0C}\E4F626C6560284F6573756 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{CE87ECB4-6AA4-4FE1-8CCA-41952F7D3D79} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun-x64: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"

mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 F-Secure HIPS;F-Secure HIPS Driver;C:\Program Files (x86)\F-Secure\HIPS\drivers\fshs.sys [2011-2-23 61960]

R1 FSES;F-Secure Email Scanning Driver;C:\Windows\system32\drivers\fses.sys --> C:\Windows\system32\drivers\fses.sys [?]

R1 FSFW;F-Secure Firewall Driver;C:\Windows\system32\drivers\fsdfw.sys --> C:\Windows\system32\drivers\fsdfw.sys [?]

R1 fsvista;F-Secure Vista Support Driver;C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [2011-2-23 15016]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-12-3 98208]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-10-15 366152]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]

R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-12-3 689472]

R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-3 2533400]

R3 BcmVWL;Broadcom Virtual Wireless;C:\Windows\system32\DRIVERS\bcmvwl64.sys --> C:\Windows\system32\DRIVERS\bcmvwl64.sys [?]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]

R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]

R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]

R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [2011-2-23 194728]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files (x86)\F-Secure\Anti-Virus\win2k\fsfilter.sys [2011-2-23 41896]

S4 F-Secure Gatekeeper Handler Starter;FSGKHS;C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe [2011-2-23 221864]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files (x86)\F-Secure\Anti-Virus\win2k\fsrec.sys [2011-2-23 27304]

S4 FSORSPClient;F-Secure ORSP Client;C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe [2011-2-23 63992]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-12-20 10:35:58 -------- d-----w- C:\Users\Bill\AppData\Local\PackageAware

2011-12-20 10:24:20 98816 ----a-w- C:\Windows\sed.exe

2011-12-20 10:24:20 518144 ----a-w- C:\Windows\SWREG.exe

2011-12-20 10:24:20 256000 ----a-w- C:\Windows\PEV.exe

2011-12-20 10:24:20 208896 ----a-w- C:\Windows\MBR.exe

2011-12-18 05:22:49 -------- d-----w- C:\Program Files (x86)\MSECache

2011-12-15 23:32:42 -------- d-----w- C:\Users\Bill\AppData\Roaming\IrfanView

2011-12-15 23:32:42 -------- d-----w- C:\Program Files (x86)\IrfanView

2011-12-13 16:19:11 -------- d-----w- C:\- - Malwarebytes Misc (fr USD Sata)

2011-12-04 15:56:08 -------- d-----w- C:\Users\Bill\AppData\Roaming\Malwarebytes

2011-12-03 00:14:46 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{66F6E6BD-DD67-40C0-9082-41BC5041C06B}\mpengine.dll

2011-12-02 00:58:30 -------- d-----w- C:\Program Files\iTunes

2011-12-02 00:58:30 -------- d-----w- C:\Program Files\iPod

2011-12-02 00:58:30 -------- d-----w- C:\Program Files (x86)\iTunes

.

==================== Find3M ====================

.

2011-12-03 21:08:36 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-24 20:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2011-10-24 20:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2011-10-06 04:49:03 5197 ----a-w- C:\DetectionData.tmp

2011-10-06 04:49:03 49012 ----a-w- C:\InformationalData.tmp

2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-09-29 04:03:32 3144704 ----a-w- C:\Windows\System32\win32k.sys

.

============= FINISH: 4:07:44.89 ===============

++++++++++++++++++++++++++++++++ END of FILE, END of DATA ++++++++++++++++++++++++++

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Thank you for the detailed information. It looks like it just wasn't tailored to your specific setup.

I notice that you are using more than one antivirus program (F-Secure and Webroot). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Reboot.

Update MBAM, run a Quick Scan, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Screen317 -

Merry Christmas (belated)!

Apologies accepted.

I have a question concerning your most recent post. Quoting from your recent posting, "Thank you ... information. It looks like it wasn't tailored to your specific setup.". My question is: WHAT wasn't tailored to my specific setup?

I was in a huff last year to get 'protected' and wasn't very careful about what I was doing. After installing both anti-virus programs, I noticed my laptop running slowly. Since it was new, and those were the only new programs, I disabled F-Secure since Webroot came with a 3-computer license. I had thought that that was enough.

However, after booting up in the (un-safe) user where all these problems originated, when I attempted to uninstall F-Secure, through 'Add or Remove Programs', a window came up telling me I had to pick an executable program to execute 'this' (my paraphrase). Previously, while in this user, any program I tried to execute, ended up presenting me with this window.

Rebooting into Un-safe Administrator, I attempted to unistall F-secure as before. This time, the msi executed, uninstalling F-secure. It finished requesting a reboot. I complied, booting back into unsafe administrator. Checking for F-Secure in 'Add or Remove ...', in which the computed booted, I didn't find it - so it's gone.

Exiting 'Programs and Features, I executed MBAM, which presented a window to me, saying

"the latest version of Malwarebyte's Anti-Malware had been downloaded. Malwarebyte's Anti-Malware will now close and install the latest version.",

and presented me with the choice of two buttons, "OK", and "Cancel". I chose "OK". Another window came up saying that version 1.60.0.1800 would be installed. I clicked 'NEXT'.

Among the new features, was the ability to run even when the computer was infected. THAT WILL BE GREAT IF IT ACTUALLY WORKS !!!!

Installation finished and rebooted - into unsafe Admin. Clicking on START/Malwarebyte's Anti-Malware/ instead of getting more links, it executed, and was ready to scan. Clicking on the UPDATE Tab, it told me I was using database v2011.12.24.05. I told it to check for updates. It downloaded v2011.12.28.03. Back to tab SCANNER. I started it doing a full scan, on Drives c:\, D:\, & Q:\.

updated itself and scanned my laptop. The log is posted below.

Oh! Man! All is not well in Mudville, tonight! I couldn't get ESET to run!

Here's what happened.... I was in unsafe admin and MBAM had just finished. ESET was to run next, but since it had to run in I.E., I thought it would be OK to do it in unsafe user mode.

In unsafe user, I tried to execute I.E., but the system wouldn't allow it! When I tried to execute I.E. (and several other programs, too), the result was a dialogue window telling me to "select the program you want to use to execute this file" ('this' file being the .exe file I just tried to execute!). This is the same window that comes up, in normal execution, when the user 2clicks on a data file, the extension of which is not registered (is unknown to the system).

I thought that maybe I could get around the problem and get I.E. executing by 2clicking on a I.E. shortcut. It worked. However, I noticed 2 things: 1) An I.E. message box came up saying that I.E. was not the default browser and wanted to know if I wanted to make it the default browser. I choose NO because I wanted to find out what the default browser was; and 2) in the area just below the Favorites toolbar,the following text: "Your computer security settings put your computer at risk. Click here to change your security settings.". The text was preceeded by an icon that looked like a red shield with a large 'X' on it and a grey border all around. I decided that clicking on it would open a can of worms that I didn't want to play with, so I ignored the warning.

I typed www.google.com into the address box, "ESET" in the search key box, and 2clicked on the result, "ESET Online Scanner". After getting to the download window, accepting the EULA, and then clicking START, an informational dialogue came up saying, 'to display the webpage again, the web browser needs to resend the info you've previously submitted. If you were making a purchase ... cancel ... otherwise click retry ...'. Retry Clicked.

A seperate I.E. warning dilogue window came up asking, "Do you want to install this software? Name: Onlinescanner.cab ...". I clicked INSTALL. ESET is running. A warning note existed on the screen, saying 'Another anti-virus program is running. 2 or more anti-virus programs running together will mess things up here'. It was Windows Defender.

To disable it, I typed "defender" in Win 7's search window next to the START button. Windows Defender appeared at the top of the results window. Clicking on it resulted in a Windows Defender window coming up, but it contained a warning message box with a "!" shield, saying, 'Service is starting ...", then another statement, "A problem caused this program's service to stop. To restart, click the START NOW button. Clicking it brings up another Windows Defender Error Message box saying, "The specified service does not exist as an installed service. (Error code 0x80070424)"

At this point, I gave up, because SAFE MODE does not allow me to use the search utility.

The malwarbyte's log files follows. The first one is the mbam file, as requested. The second file is the protection file. I'm including it because when I looked at it, I saw that it contained the word 'Error' several times.

Freddy02

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MBAM File

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2011.12.28.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Bill :: ZXXXY [administrator]

Protection: Enabled

12/28/2011 11:38:19 AM

mbam-log-2011-12-28 (11-38-19).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 719636

Time elapsed: 1 hour(s), 41 minute(s), 47 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PROTECTION File

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

10:52:37 Strider MESSAGE Scheduled update executed successfully

11:13:42 Bill MESSAGE Protection started successfully

11:13:45 Bill ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

11:20:01 Bill MESSAGE Protection started successfully

11:20:04 Bill ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

2011/12/28 11:30:11 -0700 ZXXXY Bill MESSAGE Starting protection

2011/12/28 11:30:13 -0700 ZXXXY Bill MESSAGE Protection started successfully

2011/12/28 11:30:16 -0700 ZXXXY Bill MESSAGE Starting IP protection

2011/12/28 11:30:16 -0700 ZXXXY Bill ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

2011/12/28 11:35:44 -0700 ZXXXY Bill MESSAGE Starting database refresh

2011/12/28 11:35:46 -0700 ZXXXY Bill MESSAGE Database refreshed successfully

2011/12/28 21:36:58 -0700 ZXXXY Strider MESSAGE Executing scheduled update: Daily

2011/12/28 21:37:04 -0700 ZXXXY Strider MESSAGE Scheduled update executed successfully: database updated from version v2011.12.28.03 to version v2011.12.29.01

2011/12/28 21:46:30 -0700 ZXXXY Bill MESSAGE Starting protection

2011/12/28 21:46:32 -0700 ZXXXY Bill MESSAGE Protection started successfully

2011/12/28 21:46:35 -0700 ZXXXY Bill MESSAGE Starting IP protection

2011/12/28 21:46:35 -0700 ZXXXY Bill ERROR IP protection failed: FwpmEngineOpen0 failed with error code 1753

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Link to post
Share on other sites

  • Staff

Hi,

I have a question concerning your most recent post. Quoting from your recent posting, "Thank you ... information. It looks like it wasn't tailored to your specific setup.". My question is: WHAT wasn't tailored to my specific setup?
The instructions you were looking at. They aren't as specific as they could be, is all.

If you are still getting the error with .exe files, do this:

Please download exeHelper from one of these two places:

http://www.raktor.net/exeHelper/exeHelper.com

http://www.raktor.net/exeHelper/exeHelper.scr

Save it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.

Can you uninstall F-Secure now? If so, do it and reboot. Grab a fresh copy of ComboFix, run it, and post its log. Also update MBAM, run a Quick Scan, and post its log.

Describe the issues that your computer is currently experiencing, succinctly and with bullet points if possible. :)

Link to post
Share on other sites

Screen317 -

Perhaps I wasn't aware enough, but the only times (that I remember), that I felt adrift at sea, was in trying to decide from which user (Admin or regular user) and whether to use SAFE mode or try to execute your instruction in Unsafe mode, so I just tried to be logical (whatever THAT means :-) ).

OK, ran exeHelper.com - in unsafe Admin - so I would have permission to change 'things'. It ran. After several tries, all seems to be working 'OK' - and a little faster. It did create a log file. I am enclosing it here just in case it might be pertinent.

Next, F-secure. I seem to have failed to mention that the uninstall is already done .

NEXT, update ComboFix and run it. Updated. The Combofix instructions speak of disabling all anti-malware progs, & firewalls before executing it. Since the last time I tried to exq ComboFix, it told me that Windows Defender was running and to disable it before proceeding.

This time I just tried to do that before exq'g ComboFix. I got the sameresult as last time, so I 'took a picture' of it and am enclosing it below.

I'm executing ComboFix, 'just in case'. It stopped, like last time, and without creating a text file. However, it did not find Wind Windows Defender, but it did find Webroot AntiVirus with SpySweeper - which is surprising because in my last posting I spoke of the difficulty getting it 'disabled' - so I uninstalled it. Now combofix says it found it - STILL!!

How can this BE?

Freddy02

P.S. M.S. keeps trying to send me a bunch of updates and gives me 15 min to abort the update, else it will reboot my machine. I think because the exeHelper ran, besides 'fixing' my laptop, it also allowed externals to xeq 'things', so MS is trying update me and also, some others, but I don't want them to do anything - yet - till I'm cleaned up. I keep clicking to postpone it, but that is only for 15-20 min or so. Anything I can do to make them go away for a day or two?

Opps, I don't know why, but I shut the laptop down - then M.S. downloaded the rest of the files and wouldn't let me abort it's 'mission'. When it finished, it turned the laptop off.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

exeHelper.com Log

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

exeHelper by Raktor

Build 20100414

Run at 23:50:22 on 12/30/11

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

'Picture' of the Defender Access Problem (attached)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

post-21885-0-78083900-1325321433.jpg

Link to post
Share on other sites

  • Staff

Hi,

Do this instead; it'll disable everything automatically:

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet. Before you download it, rename it to sega.com (ensure that the Save As type is "All Files").

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

Link to post
Share on other sites

Hi Screen317 -

This is the second time I've had to start over because the browser took me back to previous webpage. Going forward back to this one - all data was lost. (:angry: ) doesn't even begin to capture my mood. I'm going type this in Notepad.

I did what you said - with the same result, '... Webroot running ...'. See attachment #1.

In my previous posting, I told you I had removed Webroot. I did, via "Programs & features".

While I waited for your reply, I did a search for "webroot" in Unsafe User (can't search in SAFE MODE), plus 'User' is where the problem started. When I saw the extent of the listings, I was blown away!! I could identify a few things, but ... wow!!. I decided that you should see the output, but I didn't know how to capture the output, so I made 'photo's of each 'page', then combined them into a single photo. See attachment #2.

If it doesn't help - Oh Well!

Am I correct to halt execution when that warning is presented?

This is taking forever! I talked to some friends, you know - that huge depository of all the knowledge in the world - that is so tempting to take as gospel?

One suggested just reinstalling Windows 7. I would have to reinstall all my software, too. He suggested putting all data I wanted to save in "My Documents". What about all the e-mail I've saved since I got this laptop?

Hmmmmm. I would have had use of my laptop weeks ago. There has to be a downside - what is it?

Another suggested looking for all those processes, programs, etc that don't have a corresponding extention defined. But then I wondered, how do you find all the 'camouflaged' stuff?

Comments?

Happy New Year !!! Freddy02

Attachment #1

post-21885-0-11554100-1325750657.jpg

Attachment #2

post-21885-0-85195000-1325755319.jpg

Link to post
Share on other sites

  • Staff

Hi,

Just click OK to the prompt about Webroot; ComboFix will proceed to kill all processes.

You could format your hard drive and reinstall Windows. This wipes your hard drive clean, along with any infection present. You can backup your important data to a flash drive or CD beforehand. Your e-mails-- this depends on what service you are using for e-mail.

Link to post
Share on other sites

Screen317 -

Sorry this response took so long, I'm in the middle of helping my parents move to an assisted living facility. Spare time is at a premium. So, ...

--------------------------------------------------------------------------------------------------------------

Ignore Combofix's warning. Right!!

OK, back to Posting #8 .... I had already run exeHelper and it seemed to work.

F-secure has been totally uninstalled.

Got a fresh copy of Combofix.exe and copied it to my desktop as Sega.com and then executed it via the RUN box with the command:

%userprofile%/desktop/sega.com /killall

As instructed, I let it run through the Webroot warning. It's log file is posted below.

I also updated MBAM including it's data base & ran a Quick scan. The log file is posted below.

You also wanted me to describe any (other?) issues that my computer is currently experiencing. Three that have become apparent can be seen in the three attached 'photo's. The one thing that has always bothered me, and with this situation, it is screaming at me: how to protect my laptop. I thought I had a handle on it, but it seems that I was really fooling myself. become apparent.

By the way, my e-mail service is COMCAST via MS Outlook.

freddy02

post-21885-0-76057500-1326180572.jpg

post-21885-0-89031100-1326180739.jpg

post-21885-0-74676000-1326180809.jpg

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.