Jump to content

SMART repair virus

brightjoy2
 Share

Recommended Posts

brightjoy2

brightjoy2

Posted
Posted

Tried deleting the virus but Avira scans there are still 4 but access is denied. But the Malwarebyte full scan says nothing is detected. When computer is restarted, the SMART repair data recovery pop up is no longer there but there is still nothing but a blue screen with nothing listed under programs. In the background dd.exe file needs to close pop up appears instead and the error message of a corrupted file keeps running like 50 times flooding the screen. Need HELP please... I've attached the dds. files here. Thanks alot.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Jeff at 16:53:09 on 2012-05-14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1226 [GMT -8:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\PROGRA~1\mcafee\SITEAD~1\McSACore.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://search.live.com

uSearch Bar = hxxp://search.live.com/sphome.aspx

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

mSearchAssistant = hxxp://search.live.com/sphome.aspx

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Device Detection] c:\program files\fujifilm\myfinepix studio\dd.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [nwiz] nwiz.exe /installquiet /nodetect

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [hpqSRMon]

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [<NO NAME>]

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\jeff\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: ahrn.com\www

Trusted Zone: ahrn.com\www*

Trusted Zone: chase.com

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 209.165.131.12 209.165.131.13 0.0.0.0

TCP: Interfaces\{8D7DC3B9-18BF-4DC8-97E5-50572F9D29C8} : DhcpNameServer = 209.165.131.12 209.165.131.13 0.0.0.0

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jeff\application data\mozilla\firefox\profiles\wifw4z5k.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-20 11608]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-20 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-20 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-20 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-14 654408]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\McSACore.exe [2009-12-3 95200]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-12-10 92008]

R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-14 22344]

S2 0062421329956074mcinstcleanup;McAfee Application Installer Cleanup (0062421329956074);c:\windows\temp\006242~1.exe -cleanup -nolog --> c:\windows\temp\006242~1.EXE -cleanup -nolog [?]

S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]

S2 MOBCleanup;MOBCleanup;"c:\docume~1\jeff\locals~1\temp\mobcleanup.exe" --> c:\docume~1\jeff\locals~1\temp\MOBCleanup.exe [?]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 257696]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856]

S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2011-2-14 219648]

S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2011-2-14 475264]

.

=============== Created Last 30 ================

.

2012-05-14 16:44:21 -------- d-----w- c:\documents and settings\jeff\application data\Malwarebytes

2012-05-14 16:44:15 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-14 16:44:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-14 16:44:15 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-04-23 17:24:12 -------- d--h--w- c:\program files\PureEdge1

.

==================== Find3M ====================

.

2012-05-05 00:10:22 70304 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-05 00:10:22 419488 ---ha-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-11 13:14:41 2148352 ---ha-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12:06 1862272 ---ha-w- c:\windows\system32\win32k.sys

2012-04-11 12:35:51 2026496 ---ha-w- c:\windows\system32\ntkrnlpa.exe

2012-03-01 11:01:32 916992 ---ha-w- c:\windows\system32\wininet.dll

2012-03-01 11:01:32 43520 ---ha-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01:32 1469440 ---h--w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10:16 177664 ---ha-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10:16 148480 ---ha-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17:40 385024 ---ha-w- c:\windows\system32\html.iec

2001-06-20 21:19:18 40960 ---ha-w- c:\program files\ACMonitor_X83.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys

c:\windows\system32\drivers\nvata.sys NVIDIA Corporation NVIDIA nForce IDE Driver

1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8A59DAB8]

3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000007d[0x8A591BE0]

5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000007c[0x8A4FA658]

kernel: MBR read successfully

_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }

user != kernel MBR !!!

.

============= FINISH: 16:54:11.25 ===============

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

Welcome to Malwarebytes brightjoy2,

The logs don't quite reflect the likely bootkit/rootkit infection on that system, so let's take some different looks at things, then decide on repairs.

To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
  • If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

A lot, but comprehensive, and will make sure we get a good view of everything.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

Thanks alot for your help. The OTL logs are as follows

OTL logfile created on: 5/14/2012 6:47:15 PM - Run 1

OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Jeff\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.22 Gb Available Physical Memory | 62.19% Memory free

3.82 Gb Paging File | 3.19 Gb Available in Paging File | 83.56% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 80.59 Gb Total Space | 22.81 Gb Free Space | 28.30% Space Free | Partition Type: NTFS

Drive D: | 11.53 Gb Total Space | 1.26 Gb Free Space | 10.93% Space Free | Partition Type: FAT32

Computer Name: STOLL | User Name: Jeff | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/14 18:46:51 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe

PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2012/02/10 11:28:06 | 000,193,816 | -H-- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE

PRC - [2012/01/13 12:21:10 | 000,095,200 | -H-- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe

PRC - [2011/06/30 09:56:40 | 000,269,480 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2011/04/28 07:55:25 | 000,136,360 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2010/12/13 09:39:54 | 000,281,768 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2010/12/10 04:29:00 | 000,092,008 | -H-- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

PRC - [2010/12/10 04:28:56 | 000,247,144 | -H-- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

PRC - [2010/02/10 18:27:24 | 000,386,872 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe

PRC - [2010/01/14 22:11:00 | 000,076,968 | -H-- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2008/04/13 16:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/05/15 12:08:40 | 000,182,576 | -H-- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe

PRC - [2007/05/15 12:08:38 | 000,095,024 | -H-- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe

PRC - [2007/05/15 12:08:08 | 000,293,168 | -H-- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

========== Modules (No Company Name) ==========

MOD - [2011/11/03 07:28:36 | 001,292,288 | -H-- | M] () -- C:\WINDOWS\system32\quartz.dll

MOD - [2011/02/04 18:48:30 | 000,291,840 | -H-- | M] () -- C:\WINDOWS\system32\sbe.dll

MOD - [2010/06/17 15:27:22 | 000,355,688 | -H-- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll

MOD - [2008/04/13 16:11:59 | 000,014,336 | -H-- | M] () -- C:\WINDOWS\system32\msdmo.dll

MOD - [2008/04/13 16:11:51 | 000,059,904 | -H-- | M] () -- C:\WINDOWS\system32\devenum.dll

MOD - [2006/07/11 20:55:04 | 000,172,032 | -H-- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\CLDataSync.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\Jeff\LOCALS~1\Temp\MOBCleanup.exe -- (MOBCleanup)

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\TEMP\006242~1.EXE -- (0062421329956074mcinstcleanup) McAfee Application Installer Cleanup (0062421329956074)

SRV - [2012/05/04 16:10:23 | 000,257,696 | -H-- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/02/10 11:28:06 | 000,240,408 | -H-- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE -- (BBUpdate)

SRV - [2012/02/10 11:28:06 | 000,193,816 | -H-- | M] (Microsoft Corporation.) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE -- (BBSvc)

SRV - [2012/01/13 12:21:10 | 000,095,200 | -H-- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)

SRV - [2011/06/30 09:56:40 | 000,269,480 | -H-- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2011/04/28 07:55:25 | 000,136,360 | -H-- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2010/12/10 04:29:00 | 000,092,008 | -H-- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)

SRV - [2007/05/15 12:08:40 | 000,182,576 | -H-- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)

SRV - [2006/06/12 12:27:28 | 000,126,976 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)

SRV - [2006/05/09 12:11:10 | 000,176,128 | -H-- | M] (Starz Entertainment Group LLC) [Auto | Stopped] -- C:\Program Files\Vongo\VongoService.exe -- (Vongo Service)

SRV - [2005/10/06 17:12:30 | 000,855,552 | -H-- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2011/06/30 09:56:41 | 000,138,192 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)

DRV - [2011/06/30 09:56:41 | 000,066,616 | -H-- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2010/06/17 15:27:22 | 000,028,520 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2010/06/17 15:27:12 | 000,011,608 | -H-- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)

DRV - [2010/01/06 19:19:00 | 000,057,856 | -H-- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SCR3XX2K.sys -- (SCR3XX2K)

DRV - [2009/06/22 03:48:44 | 000,091,776 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mqac.sys -- (MQAC)

DRV - [2008/05/08 06:02:52 | 000,203,136 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rmcast.sys -- (RMCAST)

DRV - [2007/04/13 04:56:45 | 000,475,264 | RH-- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vmfilter323.sys -- (vmfilter323)

DRV - [2007/04/13 04:56:45 | 000,219,648 | RH-- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbvm326.sys -- (usbvm328)

DRV - [2006/08/29 14:12:28 | 000,990,592 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)

DRV - [2006/08/29 14:11:08 | 000,208,384 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)

DRV - [2006/08/29 14:10:56 | 000,728,576 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2006/06/19 04:37:34 | 000,036,864 | -H-- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)

DRV - [2006/06/06 12:39:56 | 000,061,952 | -H-- | M] (Ricoh) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\5U870CAP.sys -- (5U870CAP_VID_1262&PID_25FD)

DRV - [2006/06/01 16:02:36 | 000,572,928 | -H-- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)

DRV - [2006/05/12 12:05:02 | 000,057,320 | -H-- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)

DRV - [2006/04/28 09:12:00 | 000,429,184 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2006/03/05 15:49:36 | 000,011,136 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)

DRV - [2006/03/02 16:31:04 | 000,013,056 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)

DRV - [2006/03/02 16:31:02 | 000,034,176 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)

DRV - [2006/01/26 16:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)

DRV - [2005/11/15 20:28:32 | 000,028,928 | -H-- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)

DRV - [2005/10/31 18:08:00 | 000,308,992 | -H-- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)

DRV - [2005/10/31 17:54:50 | 000,051,584 | -H-- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)

DRV - [2005/09/19 13:24:20 | 000,005,760 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)

DRV - [2005/09/19 13:24:10 | 000,009,344 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)

DRV - [2005/09/19 13:23:52 | 000,007,808 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)

DRV - [2004/08/03 22:31:34 | 000,020,992 | -H-- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={searchTerms}

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\SearchScopes\{F5CB2064-D2FA-4E5D-9A55-C05764F1FB0E}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7

IE - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"

FF - prefs.js..browser.search.selectedEngine: "Secure Search"

FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/08/04 14:59:39 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/03/04 11:16:00 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/10 10:11:25 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/06 19:04:38 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2012/03/16 15:12:17 | 000,000,000 | -H-D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2012/05/06 19:04:39 | 000,000,000 | -H-D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/08/04 14:59:39 | 000,000,000 | -H-D | M]

[2011/03/01 14:46:11 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Extensions

[2011/03/01 14:46:11 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Extensions\home2@tomtom.com

[2012/05/05 15:55:48 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\wifw4z5k.default\extensions

[2012/02/07 19:15:51 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012/01/29 07:55:53 | 000,134,104 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2007/06/11 03:34:00 | 002,115,816 | -H-- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll

[2012/01/29 05:36:35 | 000,002,252 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2010/09/20 10:31:51 | 000,002,024 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

[2012/01/29 05:36:35 | 000,002,040 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/03/15 20:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Bing Bar Helper) - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (Bing Bar) - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.

O3 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)

O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()

O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)

O4 - HKLM..\Run: [hpqSRMon] File not found

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()

O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe (SoftThinks)

O4 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005..\Run: [Device Detection] C:\Program Files\FUJIFILM\MyFinePix Studio\dd.exe ()

O4 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (Starz)

O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\StartUp\Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (Starz)

O4 - Startup: C:\Documents and Settings\Jeff\Start Menu\Programs\StartUp\Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (Starz)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: ahrn.com ([www] http in Trusted sites)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: ahrn.com ([www*] https in Trusted sites)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: army.mil ([]* in Local intranet)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: chase.com ([]https in Trusted sites)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: internet ([]about in Trusted sites)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)

O15 - HKU\S-1-5-21-2278501756-2133485100-4214599645-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DDRevision Class)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.165.131.12 209.165.131.13 0.0.0.0

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D7DC3B9-18BF-4DC8-97E5-50572F9D29C8}: DhcpNameServer = 209.165.131.12 209.165.131.13 0.0.0.0

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\ackpbsc: DllName - (C:\WINDOWS\system32\ackpbsc.dll) - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)

O20 - Winlogon\Notify\acunlock: DllName - (C:\Program Files\ActivIdentity\ActivClient\acunlock.dll) - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)

O24 - Desktop WallPaper: C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2001/07/27 22:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]

O32 - AutoRun File - [2007/09/26 03:18:56 | 000,000,090 | -H-- | M] () - D:\Autorun.inf -- [ FAT32 ]

O32 - AutoRun File - [2004/04/30 14:01:14 | 000,000,053 | -HS- | M] () - D:\AUTORUN.FCB -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/14 18:46:47 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe

[2012/05/14 16:53:09 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\Administrative Tools

[2012/05/14 16:52:11 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\dds.com

[2012/05/14 08:44:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Application Data\Malwarebytes

[2012/05/14 08:44:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/05/14 08:44:15 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/05/14 08:44:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/05/14 08:44:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2012/05/14 08:29:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jeff\Recent

[2012/05/11 16:04:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jeff\Start Menu\Programs\Data Recovery

[2012/04/30 09:33:45 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight

[2012/04/30 09:33:41 | 000,000,000 | -H-D | C] -- C:\Program Files\Microsoft Silverlight

[2012/04/23 09:33:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Jeff\Desktop\PureEdge

[2012/04/23 09:24:12 | 000,000,000 | -H-D | C] -- C:\Program Files\PureEdge1

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/14 18:46:51 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe

[2012/05/14 18:39:45 | 000,001,350 | -H-- | M] () -- C:\hpqp.ini

[2012/05/14 18:37:33 | 000,000,039 | -H-- | M] () -- C:\XP_TV.ini

[2012/05/14 18:37:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/05/14 17:10:15 | 000,000,830 | -H-- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2012/05/14 16:52:14 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Jeff\Desktop\dds.com

[2012/05/14 08:44:16 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/14 08:28:10 | 000,001,158 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/05/12 20:20:25 | 000,000,855 | -H-- | M] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk

[2012/05/12 20:20:25 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-883o8ZUhSyoNkar

[2012/05/12 20:20:25 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-883o8ZUhSyoNka

[2012/05/12 20:20:19 | 000,000,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\883o8ZUhSyoNka

[2012/05/12 20:19:46 | 000,000,664 | -H-- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/05/11 16:04:19 | 000,000,837 | -H-- | M] () -- C:\Documents and Settings\Jeff\Desktop\Data_Recovery.lnk

[2012/05/11 15:57:21 | 000,051,048 | -H-- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2012/05/10 16:18:06 | 000,330,688 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2012/05/10 15:49:29 | 000,452,834 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/05/10 15:49:29 | 000,074,842 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/05/06 19:04:39 | 000,001,729 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2012/05/06 18:57:40 | 000,077,386 | -H-- | M] () -- C:\WINDOWS\hpqins05.dat

[2012/05/06 18:55:56 | 000,000,059 | -H-- | M] () -- C:\WINDOWS\WININIT.INI

[2012/05/06 18:53:41 | 000,001,018 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk

[2012/05/04 16:10:22 | 000,419,488 | -H-- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2012/05/04 16:10:22 | 000,070,304 | -H-- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2012/04/30 19:15:56 | 009,080,143 | -H-- | M] () -- C:\Documents and Settings\Jeff\Desktop\TC_3-22.20.pdf

[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/14 08:44:16 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/12 20:20:24 | 000,000,855 | -H-- | C] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk

[2012/05/11 16:04:19 | 000,000,837 | -H-- | C] () -- C:\Documents and Settings\Jeff\Desktop\Data_Recovery.lnk

[2012/05/11 16:04:19 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-883o8ZUhSyoNkar

[2012/05/11 16:04:19 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-883o8ZUhSyoNka

[2012/05/11 16:04:11 | 000,000,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\883o8ZUhSyoNka

[2012/05/06 18:53:41 | 000,001,018 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk

[2012/05/06 18:52:06 | 000,077,386 | -H-- | C] () -- C:\WINDOWS\hpqins05.dat

[2012/04/30 19:15:56 | 009,080,143 | -H-- | C] () -- C:\Documents and Settings\Jeff\Desktop\TC_3-22.20.pdf

[2012/02/15 17:37:00 | 000,003,072 | -H-- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/02/14 13:40:57 | 000,135,168 | RH-- | C] () -- C:\WINDOWS\System32\setupfilter.exe

[2011/02/14 13:25:05 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010/08/04 14:57:49 | 000,023,097 | -H-- | C] () -- C:\WINDOWS\hpqins15.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

OTL Extras logfile created on: 5/14/2012 6:47:15 PM - Run 1

OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Jeff\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.22 Gb Available Physical Memory | 62.19% Memory free

3.82 Gb Paging File | 3.19 Gb Available in Paging File | 83.56% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 80.59 Gb Total Space | 22.81 Gb Free Space | 28.30% Space Free | Partition Type: NTFS

Drive D: | 11.53 Gb Total Space | 1.26 Gb Free Space | 10.93% Space Free | Partition Type: FAT32

Computer Name: STOLL | User Name: Jeff | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.html [@ = NetscapeHTML] -- C:\Program Files\Netscape\Netscape Browser\netscape.exe (Netscape)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

http [open] -- C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE -url "%1" (Netscape)

https [open] -- C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE -url "%1" (Netscape)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"" =

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"" =

"C:\Program Files\Vongo\VongoService.exe" = C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService -- (Starz Entertainment Group LLC)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()

"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

"C:\Program Files\BearShare\BearShare.exe" = C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare -- (Free Peers, Inc.)

"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{069730C2-755A-485B-A205-27A1AAFA836A}" = InstantShareAlert

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module

"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant

"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup

"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox

"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update

"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1

"{13BCF6CB-2F54-4962-9B11-32F07048ACF3}" = HP User Guides 0031

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1CB34CE9-0E6B-493F-BB66-3425E5DF76E5}" = CP_CalendarTemplates1

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus

"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement

"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2

"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine

"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java 6 Update 17

"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006

"{2A548002-9042-4083-A270-B67473DE1073}" = SkinsHP1

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE

"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 A2

"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor

"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder

"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{3FE0CFAB-584A-4AA5-B8CD-C32284CFA308}" = RandMap

"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works

"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 G2

"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.3

"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant

"{494D17B5-3369-4905-8C4B-80C972C5E0FF}" = CP_Panorama1Config

"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter

"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout

"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics

"{4DA4012B-39AF-48c2-B23B-A4D570D233A6}" = cp_LightScribeConfig

"{4F923F90-46D1-4492-9CC6-13FBBA00E7EC}" = C4400

"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1

"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery

"{52FBAE98-D389-4281-8C14-21B4046CCB4E}" = SonicAC3Encoder

"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder

"{54F0998F-73C8-4b51-8286-FE903C231BED}" = cp_PosterPrintConfig

"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp

"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc

"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8

"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6A28AB0B-22B1-494C-AF61-B386EA1736C0}" = LightScribe 1.4.97.1

"{6B407945-AE16-4A2A-BAAF-497FE62EDED3}" = PS_AIO_03_C4400_Software_Min

"{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{766633B3-1AFA-44B6-A3FC-1DE991CD9C52}" = CP_Package_Basic1

"{79F8E1D4-36C1-439C-95FA-F695050B5B07}" = Sonic_PrimoSDK

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX

"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan

"{80AE27BA-B0ED-4288-A8B9-D8194BCF4115}" = cp_UpdateProjectsConfig

"{838A1BC9-95CA-4880-9BE3-2A7D23600A2B}" = Macromedia Shockwave Player

"{869C3062-4745-4949-B6C9-98AF24D89030}" = PhotoGallery

"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport

"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules

"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010

"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)

"{939F8208-C8CE-4AFF-B7BA-ACEB2E74A6CB}" =

"{954B7F64-D1D4-476F-8919-99585D0A6ABF}" = PS_AIO_03_C4400_Software

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9D4ABB0C-F60B-44A6-956C-A4A63D5495C9}" = CueTour

"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = TourSetup

"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module

"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient CAC 6.1 x86

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4

"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1

"{B11E71BA-498C-42D4-9F1A-9D7A89D9DA61}" = CP_AtenaShokunin1Config

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module

"{B16AF568-A644-483C-A6DA-5028CD019C8C}" = SonicMPEGEncoder

"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR

"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3

"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply

"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5

"{BBD3BF67-5B89-4CBB-BA58-5818ED5F3290}" = cp_OnlineProjectsConfig

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant

"{C9CE9393-B568-428D-AD5B-55452B9748DB}" = PS_AIO_03_C4400_ProductContext

"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg

"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch

"{D6C3C9E7-D334-4918-BD57-5B1EF14C207D}" = Bing Bar

"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component

"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp

"{DB7E00C9-6DEF-489A-8112-D8F81614F45A}" = Vongo

"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01

"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1

"{E6B43401-E818-4961-AFED-118DD8E87642}" = RAF

"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer

"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy

"{F7B72805-2F58-4C04-AE9E-E7AD6A6EF62E}" = C4400_Help

"{FB09F05F-85C6-4205-B28D-5BF071D276C3}" = muvee autoProducer 5.0

"{FC8D25A7-FF1B-41BB-BB3B-9A06C0A60AE0}" = InstantShareDevices

"{FF1F4E8E-A833-4c4b-A14A-45D5B841B5D8}" = HP Photosmart C4400 All-In-One Driver Software 10.0 Rel .3

"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto

"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter

"CNXT_HDAUDIO" = Conexant HD Audio

"CNXT_MODEM_PCI_VEN_14F1&DEV_5045_at8ven5m" = Soft Data Fax Modem with SmartCP

"HP Game Console" = HP Game Console and games

"HP Imaging Device Functions" = HP Imaging Device Functions 10.0

"HP Photo & Imaging" = HP Photosmart Premier Software 6.0

"HP Photosmart Essential" = HP Photosmart Essential 2.5

"HP Rhapsody" = HP Rhapsody

"HP Smart Web Printing" = HP Smart Web Printing 4.60

"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0

"HPExtendedCapabilities" = HP Customer Participation Program 10.0

"HPOCR" = OCR Software by I.R.I.S. 10.0

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Money2006b" = Microsoft Money 2006

"Mozilla Firefox 10.0 (x86 en-US)" = Mozilla Firefox 10.0 (x86 en-US)

"MyFinePix Studio_is1" = FUJIFILM MyFinePix Studio 3.1

"Netscape Browser" = Netscape Browser (remove only)

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Drivers" = NVIDIA Drivers

"Office14.SingleImage" = Microsoft Office Home and Student 2010

"Shop for HP Supplies" = Shop for HP Supplies

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"TomTom HOME" = TomTom HOME 2.8.0.2146

"Windows Media Format Runtime" = Windows Media Format Runtime

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMCSetup" = Windows Media Connect

"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer

"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 5/14/2012 6:50:32 PM | Computer Name = STOLL | Source = Application Error | ID = 1000

Description = Faulting application dd.exe, version 1.12.0.0, faulting module dd.exe,

version 1.12.0.0, fault address 0x0003ae67.

Error - 5/14/2012 6:52:30 PM | Computer Name = STOLL | Source = Media Center Scheduler | ID = 0

Description =

Error - 5/14/2012 8:58:02 PM | Computer Name = STOLL | Source = MSDTC | ID = 4404

Description = MS DTC Tracing infrastructure : the initialization of the tracing

infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp,

Line: 1115, StartTrace Failed, hr=0x800700a1

Error - 5/14/2012 8:58:03 PM | Computer Name = STOLL | Source = Media Center Scheduler | ID = 0

Description =

Error - 5/14/2012 8:59:20 PM | Computer Name = STOLL | Source = Application Error | ID = 1000

Description = Faulting application dd.exe, version 1.12.0.0, faulting module dd.exe,

version 1.12.0.0, fault address 0x0003ae67.

Error - 5/14/2012 9:00:23 PM | Computer Name = STOLL | Source = Media Center Scheduler | ID = 0

Description =

Error - 5/14/2012 10:37:40 PM | Computer Name = STOLL | Source = MSDTC | ID = 4404

Description = MS DTC Tracing infrastructure : the initialization of the tracing

infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp,

Line: 1115, StartTrace Failed, hr=0x800700a1

Error - 5/14/2012 10:37:41 PM | Computer Name = STOLL | Source = Media Center Scheduler | ID = 0

Description =

Error - 5/14/2012 10:38:58 PM | Computer Name = STOLL | Source = Application Error | ID = 1000

Description = Faulting application dd.exe, version 1.12.0.0, faulting module dd.exe,

version 1.12.0.0, fault address 0x0003ae67.

Error - 5/14/2012 10:40:46 PM | Computer Name = STOLL | Source = Media Center Scheduler | ID = 0

Description =

[ System Events ]

Error - 5/14/2012 2:27:01 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AliIde IntelIde Pcmcia ViaIde

Error - 5/14/2012 2:42:28 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7000

Description = The MOBCleanup service failed to start due to the following error:

%%2

Error - 5/14/2012 2:43:58 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7022

Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/14/2012 2:43:58 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AliIde IntelIde Pcmcia ViaIde

Error - 5/14/2012 6:49:54 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7000

Description = The MOBCleanup service failed to start due to the following error:

%%2

Error - 5/14/2012 6:51:20 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7022

Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/14/2012 8:58:40 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7000

Description = The MOBCleanup service failed to start due to the following error:

%%2

Error - 5/14/2012 9:00:07 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7022

Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 5/14/2012 10:38:16 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7000

Description = The MOBCleanup service failed to start due to the following error:

%%2

Error - 5/14/2012 10:39:43 PM | Computer Name = STOLL | Source = Service Control Manager | ID = 7022

Description = The HP CUE DeviceDiscovery Service service hung on starting.

< End of report >

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

The GMER log

---- System - GMER 1.0.15 ----

SSDT EE8A668C ZwClose

SSDT EE8A6646 ZwCreateKey

SSDT EE8A6696 ZwCreateSection

SSDT EE8A663C ZwCreateThread

SSDT EE8A664B ZwDeleteKey

SSDT EE8A6655 ZwDeleteValueKey

SSDT EE8A6687 ZwDuplicateObject

SSDT EE8A665A ZwLoadKey

SSDT EE8A6628 ZwOpenProcess

SSDT EE8A662D ZwOpenThread

SSDT EE8A6664 ZwReplaceKey

SSDT EE8A665F ZwRestoreKey

SSDT EE8A669B ZwSetContextThread

SSDT EE8A6650 ZwSetValueKey

SSDT EE8A6637 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6249360, 0x225D9D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

Finally the AVAST. Keep giving me a blue screen saying dump of physical memory when I ran it. Took me the 4 times to finally get this done. Thanks for helping again.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-05-15 10:01:38

-----------------------------

10:01:38.656 OS Version: Windows 5.1.2600 Service Pack 3

10:01:38.656 Number of processors: 2 586 0x4802

10:01:38.656 ComputerName: STOLL UserName: Jeff

10:01:39.593 Initialize success

10:01:55.734 AVAST engine defs: 12051401

10:02:00.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007c

10:02:00.421 Disk 0 Vendor: Size: 0MB BusType: 0

10:02:00.500 Disk 0 MBR read error 0

10:02:00.500 Disk 0 MBR scan

10:02:01.125 Disk 0 unknown MBR code

10:02:01.140 MBR BIOS signature not found 0

10:02:01.218 Disk 0 scanning C:\WINDOWS\system32\drivers

10:02:19.468 Service scanning

10:02:43.937 Modules scanning

10:02:50.765 Disk 0 trace - called modules:

10:02:50.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys

10:02:50.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5901e8]

10:02:50.843 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\0000007d[0x8a59ef18]

10:02:50.890 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\0000007c[0x8a4b6658]

10:02:51.296 AVAST engine scan C:\WINDOWS

10:03:00.484 AVAST engine scan C:\WINDOWS\system32

10:07:51.859 AVAST engine scan C:\WINDOWS\system32\drivers

10:08:16.046 AVAST engine scan C:\Documents and Settings\Jeff

10:08:36.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jeff\Desktop\MBR.dat"

10:08:36.125 The log file has been saved successfully to "C:\Documents and Settings\Jeff\Desktop\aswMBR.txt"

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

Really looking like bootkit MBR (MasterBoot Record) infection there. Please do everything you can to make sure AntiVir is completely disabled.

Just to be sure, reboot to Safe Mode for this next step. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

Click here and download Kaspersky's TDSSKiller to your desktop, but as you download it, rename it to larry.com then click that file to run TDSSKiller.

In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including as reboot (Reboot Now) if requested.

When the scan completes it will create a log file on your C drive.

Similar in name to this:

C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt

Your copy will be different - some of those numbers will reflect the date/time it was just run by you there.

Copy/paste those contents back here please. If it does locate malware, but does not prompt for a reboot, go ahead and do reboot.

Assuming it did locate malware, and display a Reboot Now, do that, then run it again after the reboot, and post back both logs please.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

15:48:21.0921 0952 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18

15:48:22.0390 0952 ============================================================

15:48:22.0390 0952 Current date / time: 2012/05/15 15:48:22.0390

15:48:22.0390 0952 SystemInfo:

15:48:22.0390 0952

15:48:22.0390 0952 OS Version: 5.1.2600 ServicePack: 3.0

15:48:22.0390 0952 Product type: Workstation

15:48:22.0390 0952 ComputerName: STOLL

15:48:22.0390 0952 UserName: Jeff

15:48:22.0390 0952 Windows directory: C:\WINDOWS

15:48:22.0390 0952 System windows directory: C:\WINDOWS

15:48:22.0390 0952 Processor architecture: Intel x86

15:48:22.0390 0952 Number of processors: 2

15:48:22.0390 0952 Page size: 0x1000

15:48:22.0390 0952 Boot type: Safe boot with network

15:48:22.0390 0952 ============================================================

15:48:24.0656 0952 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

15:48:24.0656 0952 ============================================================

15:48:24.0656 0952 \Device\Harddisk0\DR0:

15:48:24.0656 0952 MBR partitions:

15:48:24.0656 0952 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xA13099A

15:48:24.0656 0952 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0xA13489A, BlocksNum 0x171A8E4

15:48:24.0656 0952 ============================================================

15:48:24.0890 0952 C: <-> \Device\Harddisk0\DR0\Partition0

15:48:24.0906 0952 D: <-> \Device\Harddisk0\DR0\Partition1

15:48:24.0906 0952 ============================================================

15:48:24.0906 0952 Initialize success

15:48:24.0906 0952 ============================================================

15:48:28.0265 1020 ============================================================

15:48:28.0265 1020 Scan started

15:48:28.0265 1020 Mode: Manual;

15:48:28.0265 1020 ============================================================

15:48:28.0562 1020 0062421329956074mcinstcleanup - ok

15:48:28.0703 1020 5U870CAP_VID_1262&PID_25FD (d2142fee659d97b2b05820f21594bfe2) C:\WINDOWS\system32\Drivers\5U870CAP.sys

15:48:28.0703 1020 5U870CAP_VID_1262&PID_25FD - ok

15:48:28.0718 1020 Abiosdsk - ok

15:48:28.0843 1020 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

15:48:28.0843 1020 abp480n5 - ok

15:48:28.0937 1020 accoca (ec4a5d4e36a8e49261cd823450e0ba51) C:\Program Files\ActivIdentity\ActivClient\accoca.exe

15:48:28.0937 1020 accoca - ok

15:48:28.0984 1020 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

15:48:28.0984 1020 ACPI - ok

15:48:29.0000 1020 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

15:48:29.0000 1020 ACPIEC - ok

15:48:29.0109 1020 AddFiltr (746742588c07db53731143229e2ee450) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

15:48:29.0109 1020 AddFiltr - ok

15:48:29.0218 1020 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

15:48:29.0218 1020 AdobeFlashPlayerUpdateSvc - ok

15:48:29.0265 1020 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

15:48:29.0265 1020 adpu160m - ok

15:48:29.0328 1020 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

15:48:29.0328 1020 aec - ok

15:48:29.0375 1020 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

15:48:29.0375 1020 AFD - ok

15:48:29.0437 1020 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

15:48:29.0437 1020 agp440 - ok

15:48:29.0453 1020 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

15:48:29.0453 1020 agpCPQ - ok

15:48:29.0500 1020 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

15:48:29.0500 1020 Aha154x - ok

15:48:29.0531 1020 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

15:48:29.0531 1020 aic78u2 - ok

15:48:29.0546 1020 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

15:48:29.0546 1020 aic78xx - ok

15:48:29.0625 1020 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll

15:48:29.0625 1020 Alerter - ok

15:48:29.0640 1020 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe

15:48:29.0640 1020 ALG - ok

15:48:29.0671 1020 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

15:48:29.0671 1020 AliIde - ok

15:48:29.0687 1020 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

15:48:29.0687 1020 alim1541 - ok

15:48:29.0718 1020 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

15:48:29.0718 1020 amdagp - ok

15:48:29.0750 1020 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

15:48:29.0765 1020 AmdK8 - ok

15:48:29.0796 1020 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

15:48:29.0796 1020 amsint - ok

15:48:29.0968 1020 AntiVirSchedulerService (b4837fe56d76b2e9ea90e5365cf6a2be) C:\Program Files\Avira\AntiVir Desktop\sched.exe

15:48:29.0968 1020 AntiVirSchedulerService - ok

15:48:30.0015 1020 AntiVirService (df5a3016052755c910a206058b4a1729) C:\Program Files\Avira\AntiVir Desktop\avguard.exe

15:48:30.0015 1020 AntiVirService - ok

15:48:30.0046 1020 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll

15:48:30.0062 1020 AppMgmt - ok

15:48:30.0093 1020 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

15:48:30.0109 1020 Arp1394 - ok

15:48:30.0140 1020 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

15:48:30.0140 1020 asc - ok

15:48:30.0187 1020 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

15:48:30.0187 1020 asc3350p - ok

15:48:30.0218 1020 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

15:48:30.0234 1020 asc3550 - ok

15:48:30.0406 1020 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

15:48:30.0453 1020 aspnet_state - ok

15:48:30.0500 1020 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

15:48:30.0500 1020 AsyncMac - ok

15:48:30.0531 1020 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

15:48:30.0546 1020 atapi - ok

15:48:30.0546 1020 Atdisk - ok

15:48:30.0593 1020 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

15:48:30.0593 1020 Atmarpc - ok

15:48:30.0640 1020 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll

15:48:30.0640 1020 AudioSrv - ok

15:48:30.0687 1020 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

15:48:30.0687 1020 audstub - ok

15:48:30.0718 1020 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

15:48:30.0718 1020 avgio - ok

15:48:30.0765 1020 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

15:48:30.0765 1020 avgntflt - ok

15:48:30.0812 1020 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

15:48:30.0828 1020 avipbb - ok

15:48:30.0937 1020 BBSvc (a2494901e7226b356b8c1005c45f1c5f) C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.exe

15:48:30.0953 1020 BBSvc - ok

15:48:31.0062 1020 BBUpdate (63b1cbbae4790b5bac98f01bf9449722) C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe

15:48:31.0062 1020 BBUpdate - ok

15:48:31.0125 1020 BCM43XX (114234fafec7060392195170e1c4d45e) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

15:48:31.0140 1020 BCM43XX - ok

15:48:31.0171 1020 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

15:48:31.0171 1020 Beep - ok

15:48:31.0234 1020 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll

15:48:31.0359 1020 BITS - ok

15:48:31.0406 1020 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll

15:48:31.0406 1020 Browser - ok

15:48:31.0421 1020 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys

15:48:31.0421 1020 BTWUSB - ok

15:48:31.0484 1020 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

15:48:31.0484 1020 cbidf - ok

15:48:31.0500 1020 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

15:48:31.0500 1020 cbidf2k - ok

15:48:31.0562 1020 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

15:48:31.0562 1020 CCDECODE - ok

15:48:31.0593 1020 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

15:48:31.0593 1020 cd20xrnt - ok

15:48:31.0640 1020 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

15:48:31.0640 1020 Cdaudio - ok

15:48:31.0656 1020 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

15:48:31.0671 1020 Cdfs - ok

15:48:31.0718 1020 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

15:48:31.0718 1020 Cdrom - ok

15:48:31.0734 1020 Changer - ok

15:48:31.0812 1020 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe

15:48:31.0812 1020 CiSvc - ok

15:48:31.0828 1020 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe

15:48:31.0828 1020 ClipSrv - ok

15:48:31.0968 1020 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

15:48:32.0031 1020 clr_optimization_v2.0.50727_32 - ok

15:48:32.0078 1020 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

15:48:32.0078 1020 CmBatt - ok

15:48:32.0125 1020 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

15:48:32.0125 1020 CmdIde - ok

15:48:32.0171 1020 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

15:48:32.0171 1020 Compbatt - ok

15:48:32.0187 1020 COMSysApp - ok

15:48:32.0250 1020 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

15:48:32.0250 1020 Cpqarray - ok

15:48:32.0296 1020 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll

15:48:32.0296 1020 CryptSvc - ok

15:48:32.0328 1020 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

15:48:32.0343 1020 dac2w2k - ok

15:48:32.0390 1020 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

15:48:32.0390 1020 dac960nt - ok

15:48:32.0453 1020 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll

15:48:32.0453 1020 DcomLaunch - ok

15:48:32.0500 1020 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll

15:48:32.0515 1020 Dhcp - ok

15:48:32.0546 1020 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

15:48:32.0546 1020 Disk - ok

15:48:32.0562 1020 dmadmin - ok

15:48:32.0640 1020 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

15:48:32.0718 1020 dmboot - ok

15:48:32.0734 1020 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

15:48:32.0734 1020 dmio - ok

15:48:32.0765 1020 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

15:48:32.0765 1020 dmload - ok

15:48:32.0812 1020 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll

15:48:32.0812 1020 dmserver - ok

15:48:32.0843 1020 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

15:48:32.0843 1020 DMusic - ok

15:48:32.0875 1020 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll

15:48:32.0875 1020 Dnscache - ok

15:48:32.0921 1020 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll

15:48:32.0937 1020 Dot3svc - ok

15:48:32.0968 1020 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

15:48:32.0968 1020 dpti2o - ok

15:48:32.0984 1020 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

15:48:32.0984 1020 drmkaud - ok

15:48:33.0015 1020 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys

15:48:33.0015 1020 eabfiltr - ok

15:48:33.0078 1020 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys

15:48:33.0078 1020 eabusb - ok

15:48:33.0125 1020 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll

15:48:33.0125 1020 EapHost - ok

15:48:33.0218 1020 ehRecvr (d039a0c347632622934906bd59a4e1ea) C:\WINDOWS\eHome\ehRecvr.exe

15:48:33.0218 1020 ehRecvr - ok

15:48:33.0281 1020 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe

15:48:33.0281 1020 ehSched - ok

15:48:33.0312 1020 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll

15:48:33.0312 1020 ERSvc - ok

15:48:33.0343 1020 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

15:48:33.0359 1020 Eventlog - ok

15:48:33.0406 1020 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll

15:48:33.0406 1020 EventSystem - ok

15:48:33.0453 1020 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

15:48:33.0453 1020 Fastfat - ok

15:48:33.0500 1020 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

15:48:33.0500 1020 FastUserSwitchingCompatibility - ok

15:48:33.0515 1020 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

15:48:33.0531 1020 Fdc - ok

15:48:33.0562 1020 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

15:48:33.0578 1020 Fips - ok

15:48:33.0578 1020 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

15:48:33.0578 1020 Flpydisk - ok

15:48:33.0656 1020 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

15:48:33.0656 1020 FltMgr - ok

15:48:33.0796 1020 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

15:48:33.0796 1020 FontCache3.0.0.0 - ok

15:48:33.0812 1020 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

15:48:33.0812 1020 Fs_Rec - ok

15:48:33.0859 1020 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

15:48:33.0875 1020 Ftdisk - ok

15:48:33.0890 1020 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

15:48:33.0890 1020 Gpc - ok

15:48:33.0921 1020 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys

15:48:33.0921 1020 HBtnKey - ok

15:48:33.0953 1020 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys

15:48:33.0968 1020 HdAudAddService - ok

15:48:34.0015 1020 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

15:48:34.0015 1020 HDAudBus - ok

15:48:34.0093 1020 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

15:48:34.0093 1020 helpsvc - ok

15:48:34.0109 1020 HidServ - ok

15:48:34.0171 1020 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll

15:48:34.0171 1020 hkmsvc - ok

15:48:34.0234 1020 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

15:48:34.0234 1020 hpn - ok

15:48:34.0359 1020 hpqcxs08 (0a3c6aa4a9fc38c20ba4eac2c3351c05) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll

15:48:34.0421 1020 hpqcxs08 - ok

15:48:34.0484 1020 hpqddsvc (df446ba625cc441617843e87798ce048) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll

15:48:34.0484 1020 hpqddsvc - ok

15:48:34.0531 1020 hpqwmiex (04c1dcbb226c6ae647b794833ce3ceb6) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

15:48:34.0546 1020 hpqwmiex - ok

15:48:34.0578 1020 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

15:48:34.0593 1020 HPZid412 - ok

15:48:34.0609 1020 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

15:48:34.0609 1020 HPZipr12 - ok

15:48:34.0656 1020 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

15:48:34.0656 1020 HPZius12 - ok

15:48:34.0703 1020 HSFHWAZL (8e60293c44e3f6f7f09defb60023a37d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

15:48:34.0734 1020 HSFHWAZL - ok

15:48:34.0796 1020 HSF_DPV (4c2aab15ad6229134f70e5c950e6185c) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

15:48:34.0875 1020 HSF_DPV - ok

15:48:34.0921 1020 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

15:48:34.0921 1020 HTTP - ok

15:48:34.0984 1020 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll

15:48:35.0000 1020 HTTPFilter - ok

15:48:35.0046 1020 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

15:48:35.0046 1020 i2omgmt - ok

15:48:35.0078 1020 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

15:48:35.0078 1020 i2omp - ok

15:48:35.0109 1020 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

15:48:35.0109 1020 i8042prt - ok

15:48:35.0187 1020 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys

15:48:35.0203 1020 iaStor - ok

15:48:35.0343 1020 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

15:48:35.0343 1020 IDriverT - ok

15:48:35.0578 1020 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

15:48:35.0593 1020 idsvc - ok

15:48:35.0703 1020 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

15:48:35.0703 1020 Imapi - ok

15:48:35.0750 1020 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe

15:48:35.0750 1020 ImapiService - ok

15:48:35.0796 1020 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

15:48:35.0796 1020 ini910u - ok

15:48:35.0843 1020 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

15:48:35.0843 1020 IntelIde - ok

15:48:35.0890 1020 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

15:48:35.0890 1020 Ip6Fw - ok

15:48:35.0906 1020 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

15:48:35.0921 1020 IpFilterDriver - ok

15:48:35.0968 1020 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

15:48:35.0968 1020 IpInIp - ok

15:48:36.0000 1020 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

15:48:36.0000 1020 IpNat - ok

15:48:36.0031 1020 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

15:48:36.0031 1020 IPSec - ok

15:48:36.0062 1020 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

15:48:36.0062 1020 IRENUM - ok

15:48:36.0078 1020 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

15:48:36.0078 1020 isapnp - ok

15:48:36.0234 1020 JavaQuickStarterService (39133291cb607bdd87cfc565a4a1e7a5) C:\Program Files\Java\jre6\bin\jqs.exe

15:48:36.0234 1020 JavaQuickStarterService - ok

15:48:36.0250 1020 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

15:48:36.0265 1020 Kbdclass - ok

15:48:36.0281 1020 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

15:48:36.0281 1020 kbdhid - ok

15:48:36.0312 1020 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

15:48:36.0312 1020 kmixer - ok

15:48:36.0359 1020 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

15:48:36.0359 1020 KSecDD - ok

15:48:36.0406 1020 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll

15:48:36.0406 1020 lanmanserver - ok

15:48:36.0437 1020 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll

15:48:36.0453 1020 lanmanworkstation - ok

15:48:36.0468 1020 lbrtfdc - ok

15:48:36.0578 1020 LightScribeService (86e8bcaa91fc2acfacd99cf2bf9f1f47) C:\Program Files\Common Files\LightScribe\LSSrvc.exe

15:48:36.0578 1020 LightScribeService - ok

15:48:36.0625 1020 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll

15:48:36.0625 1020 LmHosts - ok

15:48:36.0671 1020 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys

15:48:36.0671 1020 MBAMProtector - ok

15:48:36.0734 1020 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

15:48:36.0750 1020 MBAMService - ok

15:48:36.0843 1020 McAfee SiteAdvisor Service (6c3d154fff0a97a6c3d9f78d60c41655) c:\PROGRA~1\mcafee\SITEAD~1\McSACore.exe

15:48:36.0843 1020 McAfee SiteAdvisor Service - ok

15:48:36.0906 1020 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe

15:48:36.0921 1020 McrdSvc - ok

15:48:36.0953 1020 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

15:48:36.0953 1020 mdmxsdk - ok

15:48:36.0984 1020 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll

15:48:36.0984 1020 Messenger - ok

15:48:37.0015 1020 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll

15:48:37.0015 1020 MHN - ok

15:48:37.0046 1020 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

15:48:37.0046 1020 MHNDRV - ok

15:48:37.0093 1020 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

15:48:37.0093 1020 mnmdd - ok

15:48:37.0140 1020 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe

15:48:37.0140 1020 mnmsrvc - ok

15:48:37.0328 1020 MOBCleanup - ok

15:48:37.0375 1020 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

15:48:37.0375 1020 Modem - ok

15:48:37.0390 1020 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

15:48:37.0390 1020 Mouclass - ok

15:48:37.0421 1020 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

15:48:37.0421 1020 MountMgr - ok

15:48:37.0453 1020 MQAC (eee50bf24caeedb515a8f3b22756d3bb) C:\WINDOWS\system32\drivers\mqac.sys

15:48:37.0453 1020 MQAC - ok

15:48:37.0500 1020 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

15:48:37.0500 1020 mraid35x - ok

15:48:37.0531 1020 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

15:48:37.0531 1020 MRxDAV - ok

15:48:37.0593 1020 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

15:48:37.0593 1020 MRxSmb - ok

15:48:37.0640 1020 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe

15:48:37.0640 1020 MSDTC - ok

15:48:37.0671 1020 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

15:48:37.0671 1020 Msfs - ok

15:48:37.0687 1020 MSIServer - ok

15:48:37.0734 1020 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

15:48:37.0734 1020 MSKSSRV - ok

15:48:37.0796 1020 MSMQ (e9b5f354ae80325283fd5c1c05217b01) C:\WINDOWS\system32\mqsvc.exe

15:48:37.0796 1020 MSMQ - ok

15:48:37.0828 1020 MSMQTriggers (10e6b9022b0a5c9c41e2da6aeae5d404) C:\WINDOWS\system32\mqtgsvc.exe

15:48:37.0843 1020 MSMQTriggers - ok

15:48:37.0859 1020 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

15:48:37.0859 1020 MSPCLOCK - ok

15:48:37.0890 1020 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

15:48:37.0890 1020 MSPQM - ok

15:48:37.0937 1020 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

15:48:37.0937 1020 mssmbios - ok

15:48:37.0968 1020 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

15:48:37.0968 1020 MSTEE - ok

15:48:38.0015 1020 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

15:48:38.0015 1020 Mup - ok

15:48:38.0062 1020 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

15:48:38.0062 1020 NABTSFEC - ok

15:48:38.0125 1020 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll

15:48:38.0125 1020 napagent - ok

15:48:38.0171 1020 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

15:48:38.0171 1020 NDIS - ok

15:48:38.0218 1020 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

15:48:38.0218 1020 NdisIP - ok

15:48:38.0265 1020 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

15:48:38.0265 1020 NdisTapi - ok

15:48:38.0296 1020 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

15:48:38.0296 1020 Ndisuio - ok

15:48:38.0312 1020 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

15:48:38.0312 1020 NdisWan - ok

15:48:38.0375 1020 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

15:48:38.0375 1020 NDProxy - ok

15:48:38.0406 1020 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\WINDOWS\system32\HPZinw12.dll

15:48:38.0421 1020 Net Driver HPZ12 - ok

15:48:38.0437 1020 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

15:48:38.0437 1020 NetBIOS - ok

15:48:38.0468 1020 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

15:48:38.0468 1020 NetBT - ok

15:48:38.0515 1020 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

15:48:38.0515 1020 NetDDE - ok

15:48:38.0531 1020 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

15:48:38.0531 1020 NetDDEdsdm - ok

15:48:38.0578 1020 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

15:48:38.0593 1020 Netlogon - ok

15:48:38.0625 1020 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll

15:48:38.0625 1020 Netman - ok

15:48:38.0765 1020 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

15:48:38.0765 1020 NetTcpPortSharing - ok

15:48:38.0828 1020 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

15:48:38.0828 1020 NIC1394 - ok

15:48:38.0875 1020 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll

15:48:38.0875 1020 Nla - ok

15:48:38.0921 1020 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

15:48:38.0921 1020 Npfs - ok

15:48:38.0937 1020 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

15:48:38.0953 1020 Ntfs - ok

15:48:39.0000 1020 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

15:48:39.0000 1020 NtLmSsp - ok

15:48:39.0046 1020 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll

15:48:39.0062 1020 NtmsSvc - ok

15:48:39.0109 1020 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

15:48:39.0109 1020 Null - ok

15:48:39.0265 1020 nv (bbb8ab2ffd7a79cd9d7751008e3de579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

15:48:39.0421 1020 nv - ok

15:48:39.0546 1020 nvata (3ac5eedd35b7437d53960f3998bfa462) C:\WINDOWS\system32\DRIVERS\nvata.sys

15:48:39.0546 1020 nvata - ok

15:48:39.0578 1020 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

15:48:39.0578 1020 NVENETFD - ok

15:48:39.0593 1020 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

15:48:39.0593 1020 nvnetbus - ok

15:48:39.0640 1020 nvsmu (e0f76fab86fec98778047d0c7c39cbb9) C:\WINDOWS\system32\DRIVERS\nvsmu.sys

15:48:39.0640 1020 nvsmu - ok

15:48:39.0687 1020 NVSvc (a323e7dd1a00898b1c40b9b5b340c0db) C:\WINDOWS\system32\nvsvc32.exe

15:48:39.0687 1020 NVSvc - ok

15:48:39.0734 1020 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

15:48:39.0734 1020 NwlnkFlt - ok

15:48:39.0796 1020 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

15:48:39.0796 1020 NwlnkFwd - ok

15:48:39.0843 1020 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

15:48:39.0843 1020 ohci1394 - ok

15:48:39.0937 1020 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

15:48:39.0937 1020 ose - ok

15:48:40.0218 1020 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

15:48:40.0453 1020 osppsvc - ok

15:48:40.0687 1020 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

15:48:40.0687 1020 Parport - ok

15:48:40.0750 1020 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

15:48:40.0750 1020 PartMgr - ok

15:48:40.0781 1020 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

15:48:40.0796 1020 ParVdm - ok

15:48:40.0796 1020 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

15:48:40.0812 1020 PCI - ok

15:48:40.0828 1020 PCIDump - ok

15:48:40.0843 1020 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

15:48:40.0843 1020 PCIIde - ok

15:48:40.0890 1020 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

15:48:40.0906 1020 Pcmcia - ok

15:48:40.0906 1020 PDCOMP - ok

15:48:40.0937 1020 PDFRAME - ok

15:48:40.0953 1020 PDRELI - ok

15:48:40.0984 1020 PDRFRAME - ok

15:48:41.0015 1020 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

15:48:41.0015 1020 perc2 - ok

15:48:41.0062 1020 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

15:48:41.0062 1020 perc2hib - ok

15:48:41.0140 1020 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

15:48:41.0140 1020 PlugPlay - ok

15:48:41.0187 1020 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\WINDOWS\system32\HPZipm12.dll

15:48:41.0187 1020 Pml Driver HPZ12 - ok

15:48:41.0203 1020 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

15:48:41.0203 1020 PolicyAgent - ok

15:48:41.0250 1020 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

15:48:41.0250 1020 PptpMiniport - ok

15:48:41.0265 1020 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

15:48:41.0265 1020 ProtectedStorage - ok

15:48:41.0296 1020 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

15:48:41.0296 1020 PSched - ok

15:48:41.0328 1020 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

15:48:41.0328 1020 Ptilink - ok

15:48:41.0359 1020 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

15:48:41.0359 1020 PxHelp20 - ok

15:48:41.0390 1020 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

15:48:41.0390 1020 ql1080 - ok

15:48:41.0406 1020 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

15:48:41.0406 1020 Ql10wnt - ok

15:48:41.0437 1020 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

15:48:41.0437 1020 ql12160 - ok

15:48:41.0468 1020 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

15:48:41.0468 1020 ql1240 - ok

15:48:41.0484 1020 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

15:48:41.0500 1020 ql1280 - ok

15:48:41.0515 1020 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:48:41.0531 1020 RasAcd - ok

15:48:41.0562 1020 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll

15:48:41.0562 1020 RasAuto - ok

15:48:41.0593 1020 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:48:41.0593 1020 Rasl2tp - ok

15:48:41.0640 1020 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll

15:48:41.0640 1020 RasMan - ok

15:48:41.0671 1020 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:48:41.0687 1020 RasPppoe - ok

15:48:41.0687 1020 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

15:48:41.0687 1020 Raspti - ok

15:48:41.0734 1020 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:48:41.0734 1020 Rdbss - ok

15:48:41.0750 1020 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:48:41.0750 1020 RDPCDD - ok

15:48:41.0796 1020 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

15:48:41.0796 1020 rdpdr - ok

15:48:41.0843 1020 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys

15:48:41.0843 1020 RDPWD - ok

15:48:41.0890 1020 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe

15:48:41.0906 1020 RDSessMgr - ok

15:48:41.0953 1020 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

15:48:41.0953 1020 redbook - ok

15:48:42.0000 1020 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll

15:48:42.0000 1020 RemoteAccess - ok

15:48:42.0015 1020 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll

15:48:42.0031 1020 RemoteRegistry - ok

15:48:42.0062 1020 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

15:48:42.0062 1020 rimmptsk - ok

15:48:42.0078 1020 rimsptsk (8f7012d1b6a71ee9c23ce93dcdbf9f4b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

15:48:42.0078 1020 rimsptsk - ok

15:48:42.0125 1020 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

15:48:42.0140 1020 rismxdp - ok

15:48:42.0187 1020 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys

15:48:42.0203 1020 RMCAST - ok

15:48:42.0234 1020 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe

15:48:42.0250 1020 RpcLocator - ok

15:48:42.0312 1020 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll

15:48:42.0328 1020 RpcSs - ok

15:48:42.0375 1020 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe

15:48:42.0375 1020 RSVP - ok

15:48:42.0390 1020 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

15:48:42.0390 1020 rtl8139 - ok

15:48:42.0437 1020 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

15:48:42.0453 1020 SamSs - ok

15:48:42.0468 1020 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe

15:48:42.0468 1020 SCardSvr - ok

15:48:42.0500 1020 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll

15:48:42.0500 1020 Schedule - ok

15:48:42.0562 1020 SCR3XX2K (b590c6b740a85130e88d35d007691eb4) C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys

15:48:42.0562 1020 SCR3XX2K - ok

15:48:42.0609 1020 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

15:48:42.0609 1020 sdbus - ok

15:48:42.0656 1020 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:48:42.0656 1020 Secdrv - ok

15:48:42.0687 1020 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll

15:48:42.0687 1020 seclogon - ok

15:48:42.0718 1020 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll

15:48:42.0718 1020 SENS - ok

15:48:42.0750 1020 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

15:48:42.0750 1020 Serial - ok

15:48:42.0812 1020 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

15:48:42.0812 1020 Sfloppy - ok

15:48:42.0875 1020 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll

15:48:42.0875 1020 SharedAccess - ok

15:48:42.0906 1020 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

15:48:42.0921 1020 ShellHWDetection - ok

15:48:42.0921 1020 Simbad - ok

15:48:42.0968 1020 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

15:48:42.0968 1020 sisagp - ok

15:48:43.0000 1020 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

15:48:43.0000 1020 SLIP - ok

15:48:43.0062 1020 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

15:48:43.0062 1020 Sparrow - ok

15:48:43.0078 1020 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

15:48:43.0078 1020 splitter - ok

15:48:43.0125 1020 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe

15:48:43.0125 1020 Spooler - ok

15:48:43.0171 1020 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

15:48:43.0171 1020 sr - ok

15:48:43.0218 1020 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll

15:48:43.0218 1020 srservice - ok

15:48:43.0265 1020 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

15:48:43.0281 1020 Srv - ok

15:48:43.0296 1020 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll

15:48:43.0296 1020 SSDPSRV - ok

15:48:43.0343 1020 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

15:48:43.0343 1020 ssmdrv - ok

15:48:43.0390 1020 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll

15:48:43.0406 1020 stisvc - ok

15:48:43.0453 1020 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

15:48:43.0453 1020 streamip - ok

15:48:43.0484 1020 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

15:48:43.0484 1020 swenum - ok

15:48:43.0500 1020 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

15:48:43.0500 1020 swmidi - ok

15:48:43.0515 1020 SwPrv - ok

15:48:43.0578 1020 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

15:48:43.0578 1020 symc810 - ok

15:48:43.0593 1020 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

15:48:43.0593 1020 symc8xx - ok

15:48:43.0625 1020 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

15:48:43.0625 1020 sym_hi - ok

15:48:43.0640 1020 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

15:48:43.0640 1020 sym_u3 - ok

15:48:43.0687 1020 SynTP (60cb9f7c95791fe56a6e86868f4467ba) C:\WINDOWS\system32\DRIVERS\SynTP.sys

15:48:43.0687 1020 SynTP - ok

15:48:43.0703 1020 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

15:48:43.0703 1020 sysaudio - ok

15:48:43.0765 1020 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe

15:48:43.0765 1020 SysmonLog - ok

15:48:43.0796 1020 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll

15:48:43.0812 1020 TapiSrv - ok

15:48:43.0859 1020 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:48:43.0859 1020 Tcpip - ok

15:48:43.0906 1020 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

15:48:43.0921 1020 TDPIPE - ok

15:48:43.0937 1020 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

15:48:43.0937 1020 TDTCP - ok

15:48:43.0968 1020 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

15:48:43.0968 1020 TermDD - ok

15:48:44.0031 1020 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll

15:48:44.0031 1020 TermService - ok

15:48:44.0093 1020 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

15:48:44.0093 1020 Themes - ok

15:48:44.0140 1020 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe

15:48:44.0140 1020 TlntSvr - ok

15:48:44.0265 1020 TomTomHOMEService (572a16fbad52ab1ac8e3d44baaf99694) C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

15:48:44.0265 1020 TomTomHOMEService - ok

15:48:44.0312 1020 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

15:48:44.0328 1020 TosIde - ok

15:48:44.0328 1020 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll

15:48:44.0343 1020 TrkWks - ok

15:48:44.0390 1020 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

15:48:44.0390 1020 Udfs - ok

15:48:44.0406 1020 UIUSys - ok

15:48:44.0453 1020 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

15:48:44.0453 1020 ultra - ok

15:48:44.0500 1020 UMWdf (9651e5d850b6f6bd7c77c70aa06f02bf) C:\WINDOWS\system32\wdfmgr.exe

15:48:44.0515 1020 UMWdf - ok

15:48:44.0578 1020 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

15:48:44.0593 1020 Update - ok

15:48:44.0625 1020 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll

15:48:44.0625 1020 upnphost - ok

15:48:44.0640 1020 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe

15:48:44.0640 1020 UPS - ok

15:48:44.0703 1020 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

15:48:44.0703 1020 usbaudio - ok

15:48:44.0750 1020 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:48:44.0750 1020 usbccgp - ok

15:48:44.0796 1020 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:48:44.0796 1020 usbehci - ok

15:48:44.0812 1020 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:48:44.0812 1020 usbhub - ok

15:48:44.0828 1020 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

15:48:44.0828 1020 usbohci - ok

15:48:44.0859 1020 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

15:48:44.0859 1020 usbprint - ok

15:48:44.0875 1020 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

15:48:44.0875 1020 usbscan - ok

15:48:44.0890 1020 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:48:44.0906 1020 USBSTOR - ok

15:48:44.0937 1020 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

15:48:44.0937 1020 usbuhci - ok

15:48:44.0984 1020 usbvm328 (6dc94d0d4f2472056d14e987f729eccb) C:\WINDOWS\system32\Drivers\usbvm326.sys

15:48:44.0984 1020 usbvm328 - ok

15:48:45.0031 1020 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

15:48:45.0031 1020 VgaSave - ok

15:48:45.0062 1020 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

15:48:45.0062 1020 viaagp - ok

15:48:45.0093 1020 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

15:48:45.0093 1020 ViaIde - ok

15:48:45.0171 1020 vmfilter323 (6c21422d47ed3d8f65ed667bfd1cc759) C:\WINDOWS\system32\drivers\vmfilter323.sys

15:48:45.0171 1020 vmfilter323 - ok

15:48:45.0203 1020 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

15:48:45.0203 1020 VolSnap - ok

15:48:45.0343 1020 Vongo Service (322aaa3b17e1fc664915350cdde92eb8) C:\Program Files\Vongo\VongoService.exe

15:48:45.0359 1020 Vongo Service - ok

15:48:45.0406 1020 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe

15:48:45.0421 1020 VSS - ok

15:48:45.0453 1020 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll

15:48:45.0468 1020 W32Time - ok

15:48:45.0515 1020 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:48:45.0515 1020 Wanarp - ok

15:48:45.0531 1020 WDICA - ok

15:48:45.0562 1020 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

15:48:45.0562 1020 wdmaud - ok

15:48:45.0578 1020 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll

15:48:45.0578 1020 WebClient - ok

15:48:45.0656 1020 winachsf (e17d31cd52dcb7745ac5330eea062d0b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

15:48:45.0671 1020 winachsf - ok

15:48:45.0750 1020 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll

15:48:45.0750 1020 winmgmt - ok

15:48:46.0015 1020 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

15:48:46.0078 1020 wlidsvc - ok

15:48:46.0218 1020 WMConnectCDS (cd99c9feae87c1963273f6b150251e33) C:\Program Files\Windows Media Connect 2\wmccds.exe

15:48:46.0234 1020 WMConnectCDS - ok

15:48:46.0421 1020 WmdmPmSN (b9715b9c18bc6c8f4b66733d208cc9f7) C:\WINDOWS\system32\MsPMSNSv.dll

15:48:46.0421 1020 WmdmPmSN - ok

15:48:46.0500 1020 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll

15:48:46.0515 1020 Wmi - ok

15:48:46.0593 1020 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

15:48:46.0593 1020 WmiAcpi - ok

15:48:46.0671 1020 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe

15:48:46.0671 1020 WmiApSrv - ok

15:48:46.0718 1020 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll

15:48:46.0734 1020 wscsvc - ok

15:48:46.0765 1020 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

15:48:46.0765 1020 WSTCODEC - ok

15:48:46.0796 1020 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll

15:48:46.0828 1020 wuauserv - ok

15:48:46.0875 1020 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll

15:48:46.0890 1020 WZCSVC - ok

15:48:46.0921 1020 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll

15:48:46.0921 1020 xmlprov - ok

15:48:47.0000 1020 MBR (0x1B8) (665277635dc8ba83deae12eadedb75a0) \Device\Harddisk0\DR0

15:48:47.0015 1020 \Device\Harddisk0\DR0 - ok

15:48:47.0031 1020 Boot (0x1200) (0c244233af3399cf72a2036305143af3) \Device\Harddisk0\DR0\Partition0

15:48:47.0031 1020 \Device\Harddisk0\DR0\Partition0 - ok

15:48:47.0093 1020 Boot (0x1200) (5b9d4a6e33305397a5038ea01fb2397a) \Device\Harddisk0\DR0\Partition1

15:48:47.0093 1020 \Device\Harddisk0\DR0\Partition1 - ok

15:48:47.0093 1020 ============================================================

15:48:47.0093 1020 Scan finished

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

Surely was not the results I expected in any way.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Also run TDSSKiller after that, and post that log please.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

I am wondering if I had disable the Avira in the safemode. I tried to reboot in safe mode with networking to be sure if I had turn it off. Realise that I'm not so sure after all but the Avira control center said service stopped, instead of disabled. If you can tell me how to disable it again, I'll retry it one more time

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

ComboFix 12-05-15.04 - Jeff 05/15/2012 17:12:37.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1715 [GMT -8:00]

Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\883o8ZUhSyoNka

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\J\GoToAssistDownloadHelper.exe

c:\documents and settings\J\WINDOWS

c:\documents and settings\Jeff\WINDOWS

c:\windows\system32\system

D:\Autorun.inf

.

Infected copy of c:\windows\system32\Version.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\version.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))

.

.

2012-05-14 16:44 . 2012-05-14 16:44 -------- d-----w- c:\documents and settings\Jeff\Application Data\Malwarebytes

2012-05-14 16:44 . 2012-05-14 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-14 16:44 . 2012-05-14 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-05-14 16:44 . 2012-04-04 23:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-30 17:33 . 2012-05-11 00:18 -------- d--h--w- c:\program files\Microsoft Silverlight

2012-04-23 17:24 . 2012-04-23 17:24 -------- d--h--w- c:\program files\PureEdge1

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-05 00:10 . 2012-04-05 23:58 70304 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-05 00:10 . 2012-04-05 23:58 419488 ---ha-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-11 13:14 . 2006-03-16 04:00 2148352 ---ha-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12 . 2006-03-16 04:00 1862272 ---ha-w- c:\windows\system32\win32k.sys

2012-04-11 12:35 . 2006-03-16 04:00 2026496 ---ha-w- c:\windows\system32\ntkrnlpa.exe

2012-03-01 11:01 . 2006-03-16 04:00 916992 ---ha-w- c:\windows\system32\wininet.dll

2012-03-01 11:01 . 2006-03-16 04:00 43520 ---ha-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01 . 2006-03-16 04:00 1469440 ---h--w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10 . 2006-03-16 04:00 177664 ---ha-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10 . 2006-03-16 04:00 148480 ---ha-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17 . 2006-03-16 04:00 385024 ---ha-w- c:\windows\system32\html.iec

2001-06-20 21:19 . 2001-06-19 21:34 40960 ---ha-w- c:\program files\ACMonitor_X83.exe

2012-01-29 15:55 . 2012-02-08 03:15 134104 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]

2012-02-10 19:28 1307928 ---ha-w- c:\program files\Microsoft\BingBar\7.1.361.0\BingExt.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-12-10 247144]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]

"Device Detection"="c:\program files\FUJIFILM\MyFinePix Studio\dd.exe" [2011-06-07 404664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]

"nwiz"="nwiz.exe" [2006-08-18 1617920]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

.

c:\documents and settings\Jeff\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-5-15 130864]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-05-15 20:08 112640 ---ha-w- c:\windows\system32\ackpbsc.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-05-15 20:08 281088 ---ha-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\BearShare\\BearShare.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

.

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 12:08 PM 182576]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/20/2010 8:13 PM 136360]

R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2/10/2012 11:28 AM 193816]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2012 8:44 AM 654408]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\McSACore.exe [12/3/2009 1:37 PM 95200]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 4:29 AM 92008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2012 8:44 AM 22344]

S2 0062421329956074mcinstcleanup;McAfee Application Installer Cleanup (0062421329956074);c:\windows\TEMP\006242~1.EXE -cleanup -nolog --> c:\windows\TEMP\006242~1.EXE -cleanup -nolog [?]

S2 MOBCleanup;MOBCleanup;"c:\docume~1\Jeff\LOCALS~1\Temp\MOBCleanup.exe" --> c:\docume~1\Jeff\LOCALS~1\Temp\MOBCleanup.exe [?]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 12:39 PM 61952]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 3:58 PM 257696]

S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2/10/2012 11:28 AM 240408]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 7:19 PM 57856]

S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2/14/2011 1:40 PM 219648]

S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2/14/2011 1:40 PM 475264]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 00:10]

.

2012-03-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Trusted Zone: ahrn.com\www

Trusted Zone: ahrn.com\www*

Trusted Zone: chase.com

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 209.165.131.12 209.165.131.13 0.0.0.0

FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\wifw4z5k.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-hpqSRMon - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-15 17:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????Q??????Y?@?????<?@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600

.

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(676)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

.

- - - - - - - > 'explorer.exe'(4040)

c:\windows\system32\WININET.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\windows\system32\msdtc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\ActivIdentity\ActivClient\acevents.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\mqsvc.exe

c:\windows\system32\mqtgsvc.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\eHome\ehmsas.exe

.

**************************************************************************

.

Completion time: 2012-05-15 17:30:18 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-16 01:30

.

Pre-Run: 24,360,603,648 bytes free

Post-Run: 24,458,252,288 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 44EF6B2B1F37FF8E7E8DB7076DA0964D

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

This is after running the combofix, thanks

7:37:53.0375 1776 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18

17:37:53.0968 1776 ============================================================

17:37:53.0968 1776 Current date / time: 2012/05/15 17:37:53.0968

17:37:53.0968 1776 SystemInfo:

17:37:53.0968 1776

17:37:53.0968 1776 OS Version: 5.1.2600 ServicePack: 3.0

17:37:53.0968 1776 Product type: Workstation

17:37:53.0968 1776 ComputerName: STOLL

17:37:53.0968 1776 UserName: Jeff

17:37:53.0968 1776 Windows directory: C:\WINDOWS

17:37:53.0968 1776 System windows directory: C:\WINDOWS

17:37:53.0968 1776 Processor architecture: Intel x86

17:37:53.0968 1776 Number of processors: 2

17:37:53.0968 1776 Page size: 0x1000

17:37:53.0968 1776 Boot type: Normal boot

17:37:53.0968 1776 ============================================================

17:37:55.0187 1776 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

17:37:55.0187 1776 ============================================================

17:37:55.0187 1776 \Device\Harddisk0\DR0:

17:37:55.0187 1776 MBR partitions:

17:37:55.0187 1776 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xA13099A

17:37:55.0187 1776 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0xA13489A, BlocksNum 0x171A8E4

17:37:55.0187 1776 ============================================================

17:37:55.0265 1776 C: <-> \Device\Harddisk0\DR0\Partition0

17:37:55.0296 1776 D: <-> \Device\Harddisk0\DR0\Partition1

17:37:55.0296 1776 ============================================================

17:37:55.0296 1776 Initialize success

17:37:55.0296 1776 ============================================================

17:38:03.0796 3128 Deinitialize success

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

Curious results so far, though hoping ComboFix catching and replacing a bogus .dll file will have changed something.

Since I have the info at hand, take note of the following, to choose to uninstall later once we are clear of this rootkit nonsense:

Vongo - Pre-installed by HP, now defunct.

Netscape Browser (remove only) - Same - pre-installed, no longer in use.

And these are resource wasters if you do not actually use them:

Yahoo! Toolbar for Internet Explorer

Yahoo! Toolbar

Bing Bar

-------------

Download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

------------

Run Gmer again, and post that log please.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 140):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E5000 \WINDOWS\system32\hal.dll

0xF7987000 \WINDOWS\system32\KDCOM.DLL

0xF7897000 \WINDOWS\system32\BOOTVID.dll

0xF7358000 ACPI.sys

0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7347000 pci.sys

0xF7487000 isapnp.sys

0xF7497000 ohci1394.sys

0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF789B000 compbatt.sys

0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF798B000 intelide.sys

0xF798D000 viaide.sys

0xF798F000 aliide.sys

0xF7329000 pcmcia.sys

0xF74B7000 MountMgr.sys

0xF730A000 ftdisk.sys

0xF7991000 dmload.sys

0xF72E4000 dmio.sys

0xF78A3000 ACPIEC.sys

0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

0xF770F000 PartMgr.sys

0xF74C7000 VolSnap.sys

0xF72CC000 atapi.sys

0xF72B3000 nvata.sys

0xF74D7000 disk.sys

0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7293000 fltmgr.sys

0xF7281000 sr.sys

0xF7717000 PxHelp20.sys

0xF726A000 KSecDD.sys

0xF71DD000 Ntfs.sys

0xF71B0000 NDIS.sys

0xF74F7000 Serial.sys

0xF7196000 Mup.sys

0xF7697000 \SystemRoot\system32\DRIVERS\AmdK8.sys

0xF7152000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF714E000 \SystemRoot\system32\DRIVERS\cpqbttn.sys

0xF76A7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xF780F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF6B50000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xF6707000 \SystemRoot\system32\DRIVERS\nv4_mini.sys

0xF66F3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF6B3C000 \SystemRoot\system32\DRIVERS\nvsmu.sys

0xF7817000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xF66CF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF781F000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF7537000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF76B7000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF76C7000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF66AC000 \SystemRoot\system32\DRIVERS\ks.sys

0xF6684000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xF6B34000 \SystemRoot\system32\DRIVERS\nvnetbus.sys

0xF6639000 \SystemRoot\system32\DRIVERS\NVNRM.SYS

0xF6602000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS

0xF76D7000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF7827000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF65D2000 \SystemRoot\system32\DRIVERS\SynTP.sys

0xF79CB000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF782F000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7ABD000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF76E7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF6B30000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF65BB000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF76F7000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF7507000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7837000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF65AA000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7517000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF783F000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7847000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF6552000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xF7527000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF79CD000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF64F4000 \SystemRoot\system32\DRIVERS\update.sys

0xF793F000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF794B000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xF7557000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF6B0C000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF6AFC000 \SystemRoot\system32\DRIVERS\NVENETFD.sys

0xF2E29000 \SystemRoot\system32\drivers\CHDAud.sys

0xF2E05000 \SystemRoot\system32\drivers\portcls.sys

0xF7677000 \SystemRoot\system32\drivers\drmk.sys

0xF2DD2000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

0xF2CE0000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys

0xF2C2E000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

0xF77A7000 \SystemRoot\System32\Drivers\Modem.SYS

0xF3AFE000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7A4D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xEFA2D000 \SystemRoot\System32\Drivers\Null.SYS

0xF7993000 \SystemRoot\System32\Drivers\Beep.SYS

0xF11E2000 \SystemRoot\System32\drivers\vga.sys

0xF7995000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7997000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF11DA000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF11D2000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF3AFA000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xEC903000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xEC8AA000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xEC882000 \SystemRoot\system32\DRIVERS\netbt.sys

0xEC85C000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF2ED6000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xF0D59000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xEC83A000 \SystemRoot\System32\drivers\afd.sys

0xF0D49000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF79A3000 \SystemRoot\system32\DRIVERS\eabfiltr.sys

0xF11CA000 \SystemRoot\system32\DRIVERS\ssmdrv.sys

0xEC80F000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xEC79F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF0012000 \SystemRoot\System32\Drivers\Fips.SYS

0xEC778000 \SystemRoot\system32\DRIVERS\avipbb.sys

0xF7A2F000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys

0xEC754000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xEC73B000 \SystemRoot\System32\Drivers\dump_nvata.sys

0xF7A45000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF0026000 \SystemRoot\System32\drivers\Dxapi.sys

0xEF181000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7B74000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\nv4_disp.dll

0xBF3E0000 \SystemRoot\System32\ATMFD.DLL

0xBA5E9000 \SystemRoot\system32\DRIVERS\avgntflt.sys

0xEB00E000 \??\C:\WINDOWS\system32\drivers\mbam.sys

0xEE9B6000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xB9D6C000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xB9D2F000 \SystemRoot\system32\drivers\wdmaud.sys

0xF00A3000 \SystemRoot\system32\drivers\sysaudio.sys

0xB9B29000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xB8F48000 \SystemRoot\System32\Drivers\HTTP.sys

0xB8E00000 \SystemRoot\system32\DRIVERS\srv.sys

0xB8DC8000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xB8C09000 \??\C:\WINDOWS\system32\drivers\mqac.sys

0xB8B0F000 \??\C:\WINDOWS\system32\drivers\RMCast.sys

0xB7A8A000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys

0xB741D000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 78):

0 System Idle Process

4 System

596 C:\WINDOWS\system32\smss.exe

644 csrss.exe

672 C:\WINDOWS\system32\winlogon.exe

716 C:\WINDOWS\system32\services.exe

728 C:\WINDOWS\system32\lsass.exe

916 C:\WINDOWS\system32\svchost.exe

964 svchost.exe

1060 C:\WINDOWS\system32\svchost.exe

1184 svchost.exe

1260 svchost.exe

1392 C:\WINDOWS\system32\spoolsv.exe

1476 acevents.exe

1484 scardsvr.exe

1504 C:\Program Files\Avira\AntiVir Desktop\sched.exe

1656 svchost.exe

1872 C:\WINDOWS\explorer.exe

2016 C:\WINDOWS\ehome\ehtray.exe

2044 C:\Program Files\Java\jre6\bin\jusched.exe

272 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

288 C:\Program Files\HP\QuickPlay\QPService.exe

328 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

348 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

360 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

548 C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

400 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

580 C:\Program Files\QuickTime\QTTask.exe

588 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

612 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

624 C:\Program Files\Skype\Phone\Skype.exe

1008 C:\Program Files\ActivIdentity\ActivClient\acevents.exe

1024 C:\WINDOWS\system32\ctfmon.exe

1428 C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

1572 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

1396 C:\Program Files\Vongo\Tray.exe

1720 msdtc.exe

1192 C:\Program Files\ActivIdentity\ActivClient\accoca.exe

1972 C:\Program Files\Avira\AntiVir Desktop\avguard.exe

1980 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

2012 C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE

2080 C:\WINDOWS\ehome\ehrecvr.exe

2104 C:\WINDOWS\ehome\ehSched.exe

2152 C:\WINDOWS\system32\svchost.exe

2216 C:\Program Files\Java\jre6\bin\jqs.exe

2256 C:\Program Files\Common Files\LightScribe\LSSrvc.exe

2428 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

2828 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

2852 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe

2928 C:\WINDOWS\system32\svchost.exe

2948 C:\WINDOWS\system32\nvsvc32.exe

2964 C:\WINDOWS\system32\svchost.exe

3096 svchost.exe

3288 C:\WINDOWS\system32\svchost.exe

3496 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

3792 C:\Program Files\Vongo\VongoService.exe

3840 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

2748 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

3452 mcrdsvc.exe

3716 C:\WINDOWS\system32\mqsvc.exe

416 C:\WINDOWS\system32\wuauclt.exe

3532 C:\WINDOWS\system32\mqtgsvc.exe

3556 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

3832 C:\Program Files\Internet Explorer\iexplore.exe

3580 C:\WINDOWS\system32\rundll32.exe

2472 wmiprvse.exe

3592 C:\WINDOWS\system32\dllhost.exe

2940 C:\WINDOWS\system32\wbem\wmiapsrv.exe

404 alg.exe

2772 C:\WINDOWS\system32\svchost.exe

2320 C:\Program Files\Internet Explorer\iexplore.exe

1748 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

512 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

1688 C:\WINDOWS\ehome\ehmsas.exe

480 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

5400 C:\Program Files\Internet Explorer\iexplore.exe

3480 C:\WINDOWS\system32\wscntfy.exe

4420 C:\Documents and Settings\Jeff\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000014`26913400 (FAT32)

PhysicalDrive0 Model Number: ST9100824AS, Rev: 7.24

Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: F19F100B4DC860880BDC331CC9D56B1C13F605D5

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-05-16 22:48:46

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000007e rev.

Running: qx4x3rwb.exe; Driver: C:\DOCUME~1\Jeff\LOCALS~1\Temp\pxtdypob.sys

---- System - GMER 1.0.15 ----

SSDT EE6B468C ZwClose

SSDT EE6B4646 ZwCreateKey

SSDT EE6B4696 ZwCreateSection

SSDT EE6B463C ZwCreateThread

SSDT EE6B464B ZwDeleteKey

SSDT EE6B4655 ZwDeleteValueKey

SSDT EE6B4687 ZwDuplicateObject

SSDT EE6B465A ZwLoadKey

SSDT EE6B4628 ZwOpenProcess

SSDT EE6B462D ZwOpenThread

SSDT EE6B4664 ZwReplaceKey

SSDT EE6B465F ZwRestoreKey

SSDT EE6B469B ZwSetContextThread

SSDT EE6B4650 ZwSetValueKey

SSDT EE6B4637 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6105360, 0x225D9D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[1732] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[3208] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\internet explorer\iexplore.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

Shows the infected MBR in both scan logs, and Gmer sure showing some pretty suspect other activity. Wonder why what is there seems to be slipping past TDSSKiller's checks.

We could replace the MBR with a Windows 7 default copy, but there is always a concern that will then have you lose access to any factory reinstall partition - press some key sequence during a reboot, and access a location that will then just return the system to factory state. Do you know if you system has that? If the malware has altered the MBR, then that access is already lost, and returning a default MBR would then serve to cripple the malware.

Run ComboFix again please, and post that log. Perhaps it repairing that .dll will open new doors for it.

Also locate the following hilighted file(s), zip a copy of it, and send it to jintan AT malwarecrypt.com as an attachment. Please place "Submitted Files - brightjoy2/mb/mbr" as the email Subject.

C:\Documents and Settings\Jeff\Desktop\MBR.dat

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

I received the MBR copy, thanks. Looks like we're being snookered here - the mbr.dat file was just filled with empty spaces. Suggests maybe some watcher driver being loaded to block and distract things. Go ahead and run ComboFix again, but also do the following after that:

Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

ComboFix 12-05-17.08 - Jeff 05/17/2012 19:35:25.2.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1729 [GMT -8:00]

Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Jeff\Desktop\Data_Recovery.lnk

.

.

((((((((((((((((((((((((( Files Created from 2012-04-18 to 2012-05-18 )))))))))))))))))))))))))))))))

.

.

2012-05-17 05:20 . 2012-05-17 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2012-05-14 16:44 . 2012-05-14 16:44 -------- d-----w- c:\documents and settings\Jeff\Application Data\Malwarebytes

2012-05-14 16:44 . 2012-05-14 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-05-14 16:44 . 2012-05-14 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-05-14 16:44 . 2012-04-04 23:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-30 17:33 . 2012-05-11 00:18 -------- d-----w- c:\program files\Microsoft Silverlight

2012-04-23 17:24 . 2012-04-23 17:24 -------- d-----w- c:\program files\PureEdge1

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-05 00:10 . 2012-04-05 23:58 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-05 00:10 . 2012-04-05 23:58 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-11 13:14 . 2006-03-16 04:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12 . 2006-03-16 04:00 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 12:35 . 2006-03-16 04:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-03-01 11:01 . 2006-03-16 04:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10 . 2006-03-16 04:00 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10 . 2006-03-16 04:00 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17 . 2006-03-16 04:00 385024 ----a-w- c:\windows\system32\html.iec

2001-06-20 21:19 . 2001-06-19 21:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe

2012-01-29 15:55 . 2012-02-08 03:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]

2012-02-10 19:28 1307928 ----a-w- c:\program files\Microsoft\BingBar\7.1.361.0\BingExt.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-12-10 247144]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]

"Device Detection"="c:\program files\FUJIFILM\MyFinePix Studio\dd.exe" [2011-06-07 404664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-11 149280]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016]

"nwiz"="nwiz.exe" [2006-08-18 1617920]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]

"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]

"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]

"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

.

c:\documents and settings\Jeff\Start Menu\Programs\Startup\

Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-5-15 130864]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-05-15 20:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-05-15 20:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\BearShare\\BearShare.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

.

S2 0062421329956074mcinstcleanup;McAfee Application Installer Cleanup (0062421329956074);c:\windows\TEMP\006242~1.EXE -cleanup -nolog --> c:\windows\TEMP\006242~1.EXE -cleanup -nolog [?]

S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 12:08 PM 182576]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/20/2010 8:13 PM 136360]

S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2/10/2012 11:28 AM 193816]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2012 8:44 AM 654408]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\McSACore.exe [12/3/2009 1:37 PM 95200]

S2 MOBCleanup;MOBCleanup;"c:\docume~1\Jeff\LOCALS~1\Temp\MOBCleanup.exe" --> c:\docume~1\Jeff\LOCALS~1\Temp\MOBCleanup.exe [?]

S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [12/10/2010 4:29 AM 92008]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 12:39 PM 61952]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 3:58 PM 257696]

S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2/10/2012 11:28 AM 240408]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2012 8:44 AM 22344]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 7:19 PM 57856]

S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2/14/2011 1:40 PM 219648]

S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2/14/2011 1:40 PM 475264]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MDMXSDK

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-18 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 00:10]

.

2012-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Trusted Zone: ahrn.com\www

Trusted Zone: ahrn.com\www*

Trusted Zone: chase.com

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 209.165.131.12 209.165.131.13 0.0.0.0

FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\wifw4z5k.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-05-17 19:43

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????Q??????Y?@?????<?@

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(584)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

.

Completion time: 2012-05-17 19:45:08

ComboFix-quarantined-files.txt 2012-05-18 03:45

ComboFix2.txt 2012-05-16 01:30

.

Pre-Run: 24,524,951,552 bytes free

Post-Run: 24,508,145,664 bytes free

.

- - End Of File - - 1221430E0B002328A8FCAAFDC9C18421

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

The GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-05-17 19:52:22

Windows 5.1.2600 Service Pack 3

Running: qx4x3rwb.exe; Driver: C:\DOCUME~1\Jeff\LOCALS~1\Temp\pxtdypod.sys

---- Modules - GMER 1.0.15 ----

Module viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation) F798D000-F798F000 (8192 bytes)

Module aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.) F798F000-F7991000 (8192 bytes)

Module nvata.sys (NVIDIA® nForce IDE Performance Driver/NVIDIA Corporation) F7393000-F73AC000 (102400 bytes)

Module PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) F7717000-F771C000 (20480 bytes)

Module \SystemRoot\system32\DRIVERS\cpqbttn.sys (HP Tablet PC Key Button HID Driver/Hewlett-Packard Development Company, L.P.) F7923000-F7926000 (12288 bytes)

Module \SystemRoot\system32\DRIVERS\nvsmu.sys (NVIDIA® nForce SMU Microcontroller Driver/NVIDIA Corporation) F7933000-F7936000 (12288 bytes)

Module \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows ® Server 2003 DDK provider) F71BF000-F71E7000 (163840 bytes)

Module \SystemRoot\system32\DRIVERS\nvnetbus.sys (NVIDIA Networking Bus Driver./NVIDIA Corporation) F795B000-F795F000 (16384 bytes)

Module \SystemRoot\system32\DRIVERS\NVNRM.SYS (NVIDIA Network Resource Manager./NVIDIA Corporation) F7174000-F71BF000 (307200 bytes)

Module \SystemRoot\system32\DRIVERS\NVSNPU.SYS (NVIDIA Networking Soft-NPU Driver./NVIDIA Corporation) F713D000-F7174000 (225280 bytes)

Module \SystemRoot\system32\DRIVERS\SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) F710D000-F713D000 (196608 bytes)

Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) F777F000-F7784000 (20480 bytes)

Module \SystemRoot\system32\DRIVERS\NVENETFD.sys (NVIDIA Networking Function Driver./NVIDIA Corporation) F75C7000-F75D0000 (36864 bytes)

Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BF012000-BF059000 (290816 bytes)

Module \??\C:\DOCUME~1\Jeff\LOCALS~1\Temp\catchme.sys F780F000-F7817000 (32768 bytes)

Module \??\C:\DOCUME~1\Jeff\LOCALS~1\Temp\pxtdypod.sys (GMER) F6498000-F64B1000 (102400 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\explorer.exe (Windows Explorer/Microsoft Corporation) 248

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc.) 0x10000000

Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 560

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 584

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Library C:\WINDOWS\system32\ackpbsc.dll (ackpbsc/ActivIdentity) 0x10000000

Library C:\WINDOWS\system32\aclog.dll (ActivIdentity Log API/ActivIdentity) 0x00FA0000

Library C:\WINDOWS\system32\ACLIBEAY.dll (OpenSSL Shared Library/ActivIdentity) 0x01090000

Library C:\WINDOWS\system32\acevtsub.dll (ActivIdentity Event Subscriber DLL/ActivIdentity) 0x01180000

Library C:\WINDOWS\system32\asphat32.dll (asphat32/ActivIdentity) 0x011B0000

Library C:\WINDOWS\system32\acerrmes.dll (acerrmes DLL/ActivIdentity) 0x01210000

Library C:\WINDOWS\system32\aspcom.dll (ASPCOM API/ActivIdentity) 0x01230000

Library C:\Program Files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll (acerrmes DLL/ActivIdentity) 0x01270000

Library C:\Program Files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll (asphat32/ActivIdentity) 0x013D0000

Library C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (acunlock DLL/ActivIdentity) 0x01C80000

Library C:\WINDOWS\system32\aipingui.dll (Common Application GUI resources/ActivIdentity) 0x01CE0000

Library C:\Program Files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll (Common Application GUI resources/ActivIdentity) 0x01D30000

Library C:\Program Files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll (acCobAPI resources DLL/ActivIdentity) 0x01DB0000

Library C:\Program Files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll (acunlock DLL/ActivIdentity) 0x01E10000

Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 628

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 640

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 800

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 872

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1040

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1052

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\internet explorer\iexplore.exe (Internet Explorer/Microsoft Corporation) 1092

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\ctfmon.exe (CTF Loader/Microsoft Corporation) 1132

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1168

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity Event Service/ActivIdentity) 1252

Library C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity Event Service/ActivIdentity) 0x00400000

Library C:\WINDOWS\system32\aclog.dll (ActivIdentity Log API/ActivIdentity) 0x10000000

Library C:\WINDOWS\system32\asphat32.dll (asphat32/ActivIdentity) 0x00350000

Library C:\WINDOWS\system32\ackpbsc.dll (ackpbsc/ActivIdentity) 0x003C0000

Library C:\WINDOWS\system32\ACLIBEAY.dll (OpenSSL Shared Library/ActivIdentity) 0x00420000

Library C:\WINDOWS\system32\acerrmes.dll (acerrmes DLL/ActivIdentity) 0x004D0000

Library C:\WINDOWS\system32\acevtsub.dll (ActivIdentity Event Subscriber DLL/ActivIdentity) 0x004F0000

Library C:\WINDOWS\system32\aspcom.dll (ASPCOM API/ActivIdentity) 0x00520000

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Library C:\Program Files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll (acerrmes DLL/ActivIdentity) 0x008C0000

Library C:\Program Files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll (asphat32/ActivIdentity) 0x00920000

Process C:\Documents and Settings\Jeff\Desktop\qx4x3rwb.exe 1268

Library C:\Documents and Settings\Jeff\Desktop\qx4x3rwb.exe 0x00400000

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\internet explorer\iexplore.exe (Internet Explorer/Microsoft Corporation) 1816

Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Library C:\WINDOWS\system32\Macromed\Flash\Flash32_11_2_202_235.ocx (Adobe Flash Player 11.2 r202/Adobe Systems, Inc.) 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\TEMP\006242~1.EXE [AUTO] 0062421329956074mcinstcleanup

Service C:\WINDOWS\System32\Drivers\5U870CAP.sys (Ricoh USB Camera driver/Ricoh) [MANUAL] 5U870CAP_VID_1262&PID_25FD

Service C:\Program Files\ActivIdentity\ActivClient\accoca.exe (ActivIdentity Cache Server/ActivIdentity) [AUTO] accoca

Service C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (Add Filter For Usb/Hewlett-Packard Development Company, L.P.) [MANUAL] AddFiltr

Service C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe® Flash® Player Update Service 11.2 r202/Adobe Systems Incorporated) [MANUAL] AdobeFlashPlayerUpdateSvc

Service C:\WINDOWS\system32\DRIVERS\aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.) [bOOT] AliIde

Service C:\WINDOWS\system32\DRIVERS\amdagp.sys (AMD Win2000 AGP Filter/Advanced Micro Devices, Inc.) [DISABLED] amdagp

Service C:\WINDOWS\system32\DRIVERS\AmdK8.sys (AMD Processor Driver/Advanced Micro Devices) [sYSTEM] AmdK8

Service C:\Program Files\Avira\AntiVir Desktop\sched.exe (Antivirus Scheduler/Avira GmbH) [AUTO] AntiVirSchedulerService

Service C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Antivirus On-Access Service/Avira GmbH) [AUTO] AntiVirService

Service C:\WINDOWS\system32\DRIVERS\asc.sys (AdvanSys SCSI Controller Driver/Advanced System Products, Inc.) [DISABLED] asc

Service C:\WINDOWS\system32\DRIVERS\asc3550.sys (AdvanSys Ultra-Wide PCI SCSI Driver/Advanced System Products, Inc.) [DISABLED] asc3550

Service C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira AntiVir Support for Minifilter/Avira GmbH) [sYSTEM] avgio

Service C:\WINDOWS\system32\DRIVERS\avgntflt.sys (Avira Minifilter Driver/Avira GmbH) [AUTO] avgntflt

Service C:\WINDOWS\system32\DRIVERS\avipbb.sys (Avira Driver for Security Enhancement/Avira GmbH) [sYSTEM] avipbb

Service C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom 802.11 Network Adapter wireless driver/Broadcom Corporation) [MANUAL] BCM43XX

Service C:\WINDOWS\System32\Drivers\btwusb.sys (Driver for Bluetooth USB Devices/Broadcom Corporation.) [MANUAL] BTWUSB

Service C:\DOCUME~1\Jeff\LOCALS~1\Temp\catchme.sys [MANUAL] catchme

Service C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.) [DISABLED] CmdIde

Service C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Disk Array Controller Driver/Mylex Corporation) [DISABLED] dac2w2k

Service C:\WINDOWS\system32\DRIVERS\eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.) [sYSTEM] eabfiltr

Service C:\WINDOWS\system32\DRIVERS\eabusb.sys (QLB USB Keyboard filter driver/Hewlett-Packard Development Company, L.P.) [MANUAL] eabusb

Service C:\WINDOWS\system32\DRIVERS\cpqbttn.sys (HP Tablet PC Key Button HID Driver/Hewlett-Packard Development Company, L.P.) [MANUAL] HBtnKey

Service C:\WINDOWS\system32\drivers\CHDAud.sys (High Definition Audio Function Driver/Conexant Systems Inc.) [MANUAL] HdAudAddService

Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows ® Server 2003 DDK provider) [MANUAL] HDAudBus

Service C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (hpqwmiex Module/Hewlett-Packard Development Company, L.P.) [AUTO] hpqwmiex

Service C:\WINDOWS\system32\DRIVERS\HPZid412.sys (IEEE-1284.4-1999 Driver (Windows 2000)/HP) [MANUAL] HPZid412

Service C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (IEEE-1284.4-1999 Print Class Driver/HP) [MANUAL] HPZipr12

Service C:\WINDOWS\system32\DRIVERS\HPZius12.sys (1284.4<->Usb Datalink Driver (Windows 2000)/HP) [MANUAL] HPZius12

Service C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys (HSF_HWAZL WDM driver/Conexant Systems, Inc.) [MANUAL] HSFHWAZL

Service C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (HSF_DP driver/Conexant Systems, Inc.) [MANUAL] HSF_DPV

Service C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Matrix Storage Manager driver/Intel Corporation) [DISABLED] iaStor

Service C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT

Service C:\Program Files\Java\jre6\bin\jqs.exe (Java Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService

Service C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company) [AUTO] LightScribeService

Service C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Anti-Malware/Malwarebytes Corporation) [MANUAL] MBAMProtector

Service C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Anti-Malware/Malwarebytes Corporation) [AUTO] MBAMService

Service c:\PROGRA~1\mcafee\SITEAD~1\McSACore.exe (SiteAdvisor/McAfee, Inc.) [AUTO] McAfee SiteAdvisor Service

Service C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface x86 Driver/Conexant) [AUTO] mdmxsdk

Service C:\DOCUME~1\Jeff\LOCALS~1\Temp\MOBCleanup.exe [AUTO] MOBCleanup

Service C:\WINDOWS\system32\DRIVERS\mraid35x.sys (MegaRAID RAID Controller Driver for Windows Whistler 32/American Megatrends Inc.) [DISABLED] mraid35x

Service MSDTC Bridge 3.0.0.0

Service C:\WINDOWS\system32\mqtgsvc.exe (Windows NT MSMQ Trigger Service/Microsoft Corporation) [AUTO] MSMQTriggers

Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 86.19 /NVIDIA Corporation) [MANUAL] nv

Service C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA® nForce IDE Performance Driver/NVIDIA Corporation) [bOOT] nvata

Service C:\WINDOWS\system32\DRIVERS\NVENETFD.sys (NVIDIA Networking Function Driver./NVIDIA Corporation) [MANUAL] NVENETFD

Service C:\WINDOWS\system32\DRIVERS\nvnetbus.sys (NVIDIA Networking Bus Driver./NVIDIA Corporation) [MANUAL] nvnetbus

Service C:\WINDOWS\system32\DRIVERS\nvsmu.sys (NVIDIA® nForce SMU Microcontroller Driver/NVIDIA Corporation) [MANUAL] nvsmu

Service C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 86.19/NVIDIA Corporation) [AUTO] NVSvc

Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink

Service C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) [bOOT] PxHelp20

Service C:\WINDOWS\system32\DRIVERS\ql1080.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [DISABLED] ql1080

Service C:\WINDOWS\system32\DRIVERS\ql12160.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [DISABLED] ql12160

Service C:\WINDOWS\system32\DRIVERS\ql1280.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [DISABLED] ql1280

Service C:\WINDOWS\system32\DRIVERS\rimmptsk.sys (RICOH MMC Driver/REDC) [MANUAL] rimmptsk

Service C:\WINDOWS\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) [MANUAL] rimsptsk

Service C:\WINDOWS\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) [MANUAL] rismxdp

Service C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek RTL8139 NDIS 5.0 Driver/Realtek Semiconductor Corporation) [MANUAL] rtl8139

Service C:\WINDOWS\system32\DRIVERS\SCR3XX2K.sys (PC-SC CCID Driver for SCR3xx USB Smart Card Reader/SCM Microsystems Inc.) [MANUAL] SCR3XX2K

Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [MANUAL] Secdrv

Service ServiceModelEndpoint 3.0.0.0

Service ServiceModelOperation 3.0.0.0

Service ServiceModelService 3.0.0.0

Service C:\WINDOWS\system32\DRIVERS\sisagp.sys (SiS NT AGP Filter/Silicon Integrated Systems Corporation) [DISABLED] sisagp

Service SMSvcHost 3.0.0.0

Service C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec AIC-6x60 series SCSI miniport/Adaptec, Inc.) [DISABLED] Sparrow

Service C:\WINDOWS\system32\DRIVERS\ssmdrv.sys (AVIRA SnapShot Driver/Avira GmbH) [sYSTEM] ssmdrv

Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys (Microsoft IP Test Driver/Microsoft Corporation) [MANUAL] streamip

Service C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc. SCSI Miniport Driver/Symbios Logic Inc.) [DISABLED] symc810

Service C:\WINDOWS\system32\DRIVERS\symc8xx.sys (Symbios 8XX SCSI Miniport Driver/LSI Logic) [DISABLED] symc8xx

Service C:\WINDOWS\system32\DRIVERS\sym_hi.sys (Symbios Hi-Perf SCSI Miniport Driver/LSI Logic) [DISABLED] sym_hi

Service C:\WINDOWS\system32\DRIVERS\sym_u3.sys (Symbios Ultra3 SCSI Miniport Driver/LSI Logic) [DISABLED] sym_u3

Service C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) [MANUAL] SynTP

Service C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (Windows Service for TomTom HOME/TomTom) [AUTO] TomTomHOMEService

Service system32\DRIVERS\UIUSYS.SYS [MANUAL] UIUSys

Service C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Ultra66 Miniport Driver/Promise Technology, Inc.) [DISABLED] ultra

Service C:\WINDOWS\System32\Drivers\usbvm326.sys (Vc0326 Video Driver For Serome/Vimicro Corporation) [MANUAL] usbvm328

Service C:\WINDOWS\system32\DRIVERS\viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation) [bOOT] ViaIde

Service C:\WINDOWS\system32\drivers\vmfilter323.sys (VC326, Serome, 640* 480, all format/Vimicro Corporation) [MANUAL] vmfilter323

Service C:\Program Files\Vongo\VongoService.exe (Vongo Download Manager/Starz Entertainment Group LLC) [AUTO] Vongo Service

Service C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (HSF_CNXT driver/Conexant Systems, Inc.) [MANUAL] winachsf

Service Windows Workflow Foundation 3.0.0.0

---- EOF - GMER 1.0.15 ----

new GMER scan log

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

Some remnant services we need to remove, but just no ID elsewise. Is that a free version of AntiVir, that you can uninstall to help clear up what Gmer shows? I am not familiar with it's current product enough to spot what part of the scan chatter belongs to it, or even if it now protects the MBR in some way. If so, do the following, then uninstall AntiVir, reboot and run a regular Gmer scan again.

If you haven't yet, go ahead and uninstall Vongo, which is no longer an active program.

Go to Start - Run, type cmd (and OK). Copy/paste each of the following at the prompt, Enter after each:

sc delete 0062421329956074mcinstcleanup

sc delete MOBCleanup

Type exit and press Enter to close the command window.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

15.15641 - http://www.gmer.net

Rootkit scan 2012-05-18 17:58:36

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\0000007b ST9100824AS rev.7.24

Running: zizmd605.exe; Driver: C:\DOCUME~1\Jeff\LOCALS~1\Temp\pxtdypob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Cdfs \Cdfs F6639400

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
Jintan

Jintan

Posted
Posted

We have been hunting an AntiVir chimera? I will have to install a copy and verify all that myself. Please do not reinstall any other security software until we complete our tasks here.

Go here and download Mischel's MBR Backup to your desktop, then click MBRBackup.exe to start the utility.

Click Save MBR, and save that file to location you can easily return to later. Then close MBR Backup.

Zip a copy and email that saved to me as an attachment please.

The file is always prenamed MBR_year_month_day.bin. MBR_2011_05_27.bin for example.

--------------

Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform quick scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.

* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------

Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner.

If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes:

Remove found threats

Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Then click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Click Start. This scan may take a while, so please be patient.

If infection is found, at the end of the scan click "List of found threats".

In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please.

Post that log and the Malwarebytes log please.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

2012/05/19 19:27:28 -0800 STOLL MESSAGE Starting protection

2012/05/19 19:27:36 -0800 STOLL MESSAGE Protection started successfully

2012/05/19 19:27:39 -0800 STOLL MESSAGE Executing scheduled update: Daily

2012/05/19 19:27:39 -0800 STOLL MESSAGE Starting IP protection

2012/05/19 19:27:56 -0800 STOLL MESSAGE Scheduled update executed successfully: database updated from version v2012.05.18.08 to version v2012.05.20.01

2012/05/19 19:29:16 -0800 STOLL Jeff MESSAGE IP Protection started successfully

2012/05/19 19:29:16 -0800 STOLL Jeff MESSAGE Starting database refresh

2012/05/19 19:29:16 -0800 STOLL Jeff MESSAGE Stopping IP protection

2012/05/19 19:29:17 -0800 STOLL Jeff MESSAGE IP Protection stopped

2012/05/19 19:29:27 -0800 STOLL Jeff MESSAGE Database refreshed successfully

2012/05/19 19:29:27 -0800 STOLL Jeff MESSAGE Starting IP protection

2012/05/19 19:29:37 -0800 STOLL Jeff MESSAGE IP Protection started successfully

2012/05/19 20:29:32 -0800 STOLL Jeff MESSAGE Executing scheduled update: Daily

2012/05/19 20:29:34 -0800 STOLL Jeff MESSAGE Database already up-to-date

The Eset scan came out clean with no threats, there wasn't a log that I can copy like a list of threats. And the Malware report is also clean.

Link to post
Share on other sites
brightjoy2

brightjoy2

Posted
  • Author
Posted

It seems like it is all good to go. Got to reset a anti-virus program back though, should I go back to the Avira Anti-virus?. Do I do anything about those hidden files that I had to uncover, or just leave them as it is? I suppose the rest of those text files can go too? I really need to clean it up, having too much junk stored in there instead of my external hard disk. Thanks alot for all the efforts and time taken. I really appreciate that you took all the time and patience. Thanks

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.