Jump to content

Search engine redirects


haysee5

Recommended Posts

I have a search engine redirect problem. I'm running XP, and use Thunderbird. Yahoo, Google, and Bing all get redirected to either another search engine, a random web-page, or a search-engine URL with no content. Also, twice I have started to shutdown a program (Kingsoft Spreadsheets) but received a message that another user was logged in. My system restore points are missing, Windows Essentials are disabled and Carbonite can't connect to the local Carbonite service. I don't know how much of this is related, of course. Grateful for any help.

Thanks,

Tom

dds.txt

attach.txt

Link to post
Share on other sites

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

Hi, Gringo. Thanks for the quick reply. I am still getting redirects- newsbuster, scour, etc. Here's my logs:

Results of screen317's Security Check version 0.99.56

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 22

Java 6 Update 35

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.5.502.135

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox (17.0.1)

Mozilla Thunderbird (5.0). Thunderbird out of Date!

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

# AdwCleaner v2.101 - Logfile created 12/20/2012 at 15:12:01

# Updated 16/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Tom - HAYSEEDHOMEBASE

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Tom\My Documents\Downloads\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kincjchfokkeneeofpeefomkikfkiedl

Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium

Folder Deleted : C:\Documents and Settings\All Users\Application Data\SaveAs

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F3FEE66E-E034-436A-86E4-9690573BEE8A}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.mocaflix.com/ --> hxxp://www.google.com

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://websearch.mocaflix.com/ --> hxxp://www.google.com

-\\ Mozilla Firefox v17.0.1 (en-US)

Profile name : default

File : C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\prefs.js

Deleted : user_pref("aol_toolbar.default.homepage.check", false);

Deleted : user_pref("aol_toolbar.default.search.check", false);

Deleted : user_pref("browser.search.defaultenginename", "WebSearch");

Deleted : user_pref("browser.search.defaultenginename,S", "WebSearch");

Deleted : user_pref("browser.search.defaulturl", "hxxp://websearch.mocaflix.com/?l=1&q=");

Deleted : user_pref("browser.search.order.1", "WebSearch");

Deleted : user_pref("browser.search.order.1,S", "WebSearch");

Deleted : user_pref("browser.search.selectedEngine,S", "WebSearch");

Deleted : user_pref("extensions.50b8f6939d95e.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]

Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);

Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);

Deleted : user_pref("keyword.URL", "hxxp://websearch.mocaflix.com/?l=1&q=");

Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");

Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");

Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");

Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");

Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");

Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");

Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

Profile name : default

File : C:\Documents and Settings\Administrator.HAYSEEDHOMEBASE\Application Data\Mozilla\Firefox\Profiles\tslijr5u.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3835 octets] - [20/12/2012 15:09:56]

AdwCleaner[s1].txt - [3750 octets] - [20/12/2012 15:12:01]

########## EOF - C:\AdwCleaner[s1].txt - [3810 octets] ##########

RogueKiller V8.4.0 [Dec 20 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Tom [Admin rights]

Mode : Remove -- Date : 12/20/2012 15:22:48

¤¤¤ Bad processes : 1 ¤¤¤

[sUSP PATH] GoogleCrashHandler.exe -- C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤

[RUN][sUSP PATH] HKUS\.DEFAULT[...]\Run : Bifröst II on HAYSEEDHOMEBASE (from HAYSEEDMOBILE) (C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHEA.EXE /FU "C:\WINDOWS\TEMP\E_S67D.tmp" /EF "HKCU") -> DELETED

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST350041 3AS SCSI Disk Device +++++

--- User ---

[MBR] d391c0715b9607c37bc8bfe68b54cb65

[bSP] d798585473137686660b7b42e1787804 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2]_D_12202012_02d1522.txt >>

RKreport[1]_S_12202012_02d1522.txt ; RKreport[2]_D_12202012_02d1522.txt

Thanks,

Tom

Link to post
Share on other sites

  • Staff

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

Didn't have any problems at all, it loaded the console okay, but the computer's symptoms haven't changed, i.e. the legitimate search engines are still being redirected to newsbusters, livesearchnow, scour - maybe more. About a week ago, the computer had mocaflix, but I thought the MBAM got rid of it. It hasn't been around for a few days - I wonder if it dropped the stuff that we're seeing now.

Also, when I went to disable Windows Essentials before this last scan, the WE console came up for less than a second. It was red with a red "X", then it disappeared. The icon in the tray on the lower right came on red also. It stayed on for about two seconds then disappeared, too.

Here's the Combofix log:

ComboFix 12-12-20.02 - Tom 12/20/2012 19:13:02.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2027 [GMT -6:00]

Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Tom\Recent\Thumbs.db

C:\Thumbs.db

c:\windows\EventSystem.log

c:\windows\system32\dllcache\wmpvis.dll

c:\windows\system32\drivers\etc\hosts.ics

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\SET1903.tmp

c:\windows\system32\SET1907.tmp

c:\windows\system32\SET1908.tmp

c:\windows\system32\SET1910.tmp

c:\windows\system32\wpcap.dll

c:\windows\XSxS

.

.

((((((((((((((((((((((((( Files Created from 2012-11-21 to 2012-12-21 )))))))))))))))))))))))))))))))

.

.

2012-12-18 19:44 . 2012-12-18 19:44 -------- d-----w- c:\documents and settings\Administrator.HAYSEEDHOMEBASE

2012-12-18 19:10 . 2012-12-18 19:10 -------- d-----w- C:\TDSSKiller_Quarantine

2012-12-15 15:20 . 2012-12-15 15:20 135168 --sha-r- c:\windows\system32\lfjbguw.dll

2012-12-14 23:19 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EF29CA5B-C78A-4138-920B-72FFB227853F}\mpengine.dll

2012-12-14 22:20 . 2012-12-14 22:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Deployment

2012-12-13 18:32 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes

2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-12-12 18:15 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-11 18:18 . 2011-12-12 23:43 1034240 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys

2012-12-11 18:18 . 2010-02-03 17:21 89088 ----a-w- c:\windows\system32\ATL71.DLL

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-12 09:16 . 2012-04-15 01:39 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 09:16 . 2011-05-29 02:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2003-03-31 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-06 00:41 . 2003-03-31 07:00 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-11-02 02:02 . 2003-03-31 07:00 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2003-03-31 07:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2003-03-31 07:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2003-03-31 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2011-05-23 07:33 385024 ------w- c:\windows\system32\html.iec

2012-10-02 18:04 . 2003-03-31 07:00 58368 ----a-w- c:\windows\system32\synceng.dll

2012-12-05 05:53 . 2012-12-05 05:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Radio365Agent"="c:\program files\Live365\Radio365\Radio365TrayAgent.exe" [2011-04-13 1003520]

"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2010-11-23 500992]

"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2010-11-23 38144]

"Flashpaste"="c:\program files\Flashpaste\flashpaste.exe" [2011-04-17 643584]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]

"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-10-08 203072]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]

"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-08-29 1061960]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Tom\Start Menu\Programs\Startup\

Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-4-29 1699840]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [5/27/2011 3:28 PM 218688]

R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [4/9/2012 12:36 PM 125440]

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 4:38 PM 1373576]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/12/2012 12:15 PM 399432]

R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [12/11/2012 12:18 PM 1034240]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/12/2012 12:15 PM 22856]

S1 dcubamvg;dcubamvg;\??\c:\windows\system32\drivers\dcubamvg.sys --> c:\windows\system32\drivers\dcubamvg.sys [?]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/12/2012 12:15 PM 676936]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/23/2011 1:58 AM 1691480]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-20 c:\windows\Tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-06-28 22:42]

.

2012-12-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job

- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06]

.

2012-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job

- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06]

.

2012-12-20 c:\windows\Tasks\Wnorzxwzl.job

- c:\windows\system32\lfjbguw.dll [2012-12-15 15:20]

.

2012-12-21 c:\windows\Tasks\WpsUpdateTask_Tom.job

- c:\program files\Kingsoft\Kingsoft Spreadsheets\office6\wpsupdate.exe [2011-11-03 16:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - about:home

FF - ExtSQL: 2012-12-12 08:01; firebug@software.joehewitt.com; c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions\firebug@software.joehewitt.com.xpi

FF - ExtSQL: !HIDDEN! 2011-05-27 14:59; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{A057A204-BACC-4D26-8287-79A187E26987} - (no file)

HKCU-Run-AdobeBridge - (no file)

HKLM-Run-SwitchBoard - c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

SafeBoot-92853170.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-20 19:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2012-12-20 19:18:05

ComboFix-quarantined-files.txt 2012-12-21 01:18

.

Pre-Run: 441,456,492,544 bytes free

Post-Run: 445,146,615,808 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot Loader]

Timeout=2

Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\

[Operating Systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\="Microsoft Windows" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 23C41C17A389ABAA591B33FFE6DF421E

Thanks,

Tom

Link to post
Share on other sites

  • Staff

Greetings

I want you to run these next,

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Sorry. Had to leave for a day. All is same as before, i.e. after a Google, Bing, etc. search engine page is opened, clicking any link on it causes the browser to be redirected to another search engine (Newsbusters, Scour, etc.) or sometimes to a random web-page.

Here are the logs:

09:47:42.0263 2264 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

09:47:42.0935 2264 ============================================================

09:47:42.0935 2264 Current date / time: 2012/12/21 09:47:42.0935

09:47:42.0935 2264 SystemInfo:

09:47:42.0935 2264

09:47:42.0935 2264 OS Version: 5.1.2600 ServicePack: 3.0

09:47:42.0935 2264 Product type: Workstation

09:47:42.0935 2264 ComputerName: HAYSEEDHOMEBASE

09:47:42.0935 2264 UserName: Tom

09:47:42.0935 2264 Windows directory: C:\WINDOWS

09:47:42.0935 2264 System windows directory: C:\WINDOWS

09:47:42.0935 2264 Processor architecture: Intel x86

09:47:42.0935 2264 Number of processors: 2

09:47:42.0935 2264 Page size: 0x1000

09:47:42.0935 2264 Boot type: Normal boot

09:47:42.0935 2264 ============================================================

09:47:44.0076 2264 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058

09:47:44.0076 2264 ============================================================

09:47:44.0076 2264 \Device\Harddisk0\DR0:

09:47:44.0076 2264 MBR partitions:

09:47:44.0076 2264 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41

09:47:44.0076 2264 ============================================================

09:47:44.0091 2264 C: <-> \Device\Harddisk0\DR0\Partition1

09:47:44.0091 2264 ============================================================

09:47:44.0091 2264 Initialize success

09:47:44.0091 2264 ============================================================

09:48:10.0341 1960 ============================================================

09:48:10.0341 1960 Scan started

09:48:10.0341 1960 Mode: Manual;

09:48:10.0341 1960 ============================================================

09:48:11.0716 1960 ================ Scan system memory ========================

09:48:11.0716 1960 System memory - ok

09:48:11.0716 1960 ================ Scan services =============================

09:48:11.0779 1960 Abiosdsk - ok

09:48:11.0779 1960 abp480n5 - ok

09:48:11.0826 1960 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys

09:48:11.0826 1960 ACPI - ok

09:48:11.0857 1960 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys

09:48:11.0857 1960 ACPIEC - ok

09:48:11.0873 1960 adfs - ok

09:48:11.0873 1960 adpu160m - ok

09:48:11.0904 1960 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys

09:48:11.0904 1960 aec - ok

09:48:11.0951 1960 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys

09:48:11.0951 1960 AFD - ok

09:48:11.0951 1960 Aha154x - ok

09:48:11.0951 1960 aic78u2 - ok

09:48:11.0966 1960 aic78xx - ok

09:48:11.0998 1960 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll

09:48:11.0998 1960 Alerter - ok

09:48:12.0029 1960 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe

09:48:12.0029 1960 ALG - ok

09:48:12.0029 1960 AliIde - ok

09:48:12.0091 1960 [ 267FC636801EDC5AB28E14036349E3BE ] Ambfilt C:\WINDOWS\system32\drivers\Ambfilt.sys

09:48:12.0138 1960 Ambfilt - ok

09:48:12.0138 1960 amsint - ok

09:48:12.0170 1960 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll

09:48:12.0170 1960 AppMgmt - ok

09:48:12.0185 1960 asc - ok

09:48:12.0185 1960 asc3350p - ok

09:48:12.0185 1960 asc3550 - ok

09:48:12.0263 1960 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe

09:48:12.0279 1960 aspnet_state - ok

09:48:12.0310 1960 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys

09:48:12.0310 1960 AsyncMac - ok

09:48:12.0326 1960 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys

09:48:12.0326 1960 atapi - ok

09:48:12.0326 1960 Atdisk - ok

09:48:12.0357 1960 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys

09:48:12.0357 1960 Atmarpc - ok

09:48:12.0373 1960 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll

09:48:12.0373 1960 AudioSrv - ok

09:48:12.0420 1960 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys

09:48:12.0420 1960 audstub - ok

09:48:12.0482 1960 [ BCDF72DCE41874B3AD9143D537B493B2 ] BCMH43XX C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys

09:48:12.0498 1960 BCMH43XX - ok

09:48:12.0529 1960 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys

09:48:12.0529 1960 Beep - ok

09:48:12.0545 1960 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll

09:48:12.0560 1960 BITS - ok

09:48:12.0591 1960 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll

09:48:12.0591 1960 Browser - ok

09:48:12.0670 1960 catchme - ok

09:48:12.0670 1960 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys

09:48:12.0685 1960 cbidf2k - ok

09:48:12.0685 1960 cd20xrnt - ok

09:48:12.0685 1960 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys

09:48:12.0685 1960 Cdaudio - ok

09:48:12.0701 1960 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys

09:48:12.0701 1960 Cdfs - ok

09:48:12.0716 1960 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys

09:48:12.0716 1960 Cdrom - ok

09:48:12.0716 1960 Changer - ok

09:48:12.0763 1960 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe

09:48:12.0763 1960 CiSvc - ok

09:48:12.0779 1960 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe

09:48:12.0779 1960 ClipSrv - ok

09:48:12.0841 1960 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

09:48:12.0841 1960 clr_optimization_v2.0.50727_32 - ok

09:48:12.0873 1960 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

09:48:12.0904 1960 clr_optimization_v4.0.30319_32 - ok

09:48:12.0904 1960 CmdIde - ok

09:48:12.0904 1960 COMSysApp - ok

09:48:12.0920 1960 Cpqarray - ok

09:48:12.0982 1960 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll

09:48:12.0982 1960 CryptSvc - ok

09:48:12.0998 1960 dac2w2k - ok

09:48:12.0998 1960 dac960nt - ok

09:48:13.0076 1960 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll

09:48:13.0076 1960 DcomLaunch - ok

09:48:13.0076 1960 dcubamvg - ok

09:48:13.0123 1960 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll

09:48:13.0138 1960 Dhcp - ok

09:48:13.0170 1960 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys

09:48:13.0170 1960 Disk - ok

09:48:13.0170 1960 dmadmin - ok

09:48:13.0185 1960 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys

09:48:13.0201 1960 dmboot - ok

09:48:13.0201 1960 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys

09:48:13.0216 1960 dmio - ok

09:48:13.0232 1960 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys

09:48:13.0232 1960 dmload - ok

09:48:13.0248 1960 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll

09:48:13.0248 1960 dmserver - ok

09:48:13.0295 1960 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys

09:48:13.0295 1960 DMusic - ok

09:48:13.0326 1960 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll

09:48:13.0326 1960 Dnscache - ok

09:48:13.0341 1960 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll

09:48:13.0341 1960 Dot3svc - ok

09:48:13.0341 1960 dpti2o - ok

09:48:13.0357 1960 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys

09:48:13.0357 1960 drmkaud - ok

09:48:13.0388 1960 [ 555E54AC2F601A8821CEF58961653991 ] dtsoftbus01 C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys

09:48:13.0388 1960 dtsoftbus01 - ok

09:48:13.0404 1960 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll

09:48:13.0420 1960 EapHost - ok

09:48:13.0482 1960 [ 59F66FC5F5A984C2060AD3363F69364A ] EPSON_PM_RPCV4_05 C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE

09:48:13.0498 1960 EPSON_PM_RPCV4_05 - ok

09:48:13.0513 1960 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll

09:48:13.0513 1960 ERSvc - ok

09:48:13.0545 1960 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe

09:48:13.0545 1960 Eventlog - ok

09:48:13.0607 1960 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll

09:48:13.0607 1960 EventSystem - ok

09:48:13.0623 1960 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys

09:48:13.0623 1960 Fastfat - ok

09:48:13.0638 1960 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll

09:48:13.0638 1960 FastUserSwitchingCompatibility - ok

09:48:13.0638 1960 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys

09:48:13.0638 1960 Fdc - ok

09:48:13.0685 1960 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys

09:48:13.0685 1960 Fips - ok

09:48:13.0685 1960 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys

09:48:13.0685 1960 Flpydisk - ok

09:48:13.0732 1960 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys

09:48:13.0732 1960 FltMgr - ok

09:48:13.0810 1960 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

09:48:13.0810 1960 FontCache3.0.0.0 - ok

09:48:13.0810 1960 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys

09:48:13.0810 1960 Fs_Rec - ok

09:48:13.0826 1960 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys

09:48:13.0826 1960 Ftdisk - ok

09:48:13.0857 1960 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys

09:48:13.0873 1960 Gpc - ok

09:48:13.0904 1960 [ 833051C6C6C42117191935F734CFBD97 ] hamachi C:\WINDOWS\system32\DRIVERS\hamachi.sys

09:48:13.0904 1960 hamachi - ok

09:48:13.0935 1960 [ FA89C0429821C7C429EEC7A0CE1C02D3 ] Hamachi2Svc C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

09:48:13.0966 1960 Hamachi2Svc - ok

09:48:13.0982 1960 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

09:48:13.0982 1960 HDAudBus - ok

09:48:14.0045 1960 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

09:48:14.0045 1960 helpsvc - ok

09:48:14.0045 1960 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll

09:48:14.0045 1960 HidServ - ok

09:48:14.0076 1960 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys

09:48:14.0076 1960 HidUsb - ok

09:48:14.0107 1960 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll

09:48:14.0107 1960 hkmsvc - ok

09:48:14.0107 1960 hpn - ok

09:48:14.0154 1960 [ 0A3C6AA4A9FC38C20BA4EAC2C3351C05 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll

09:48:14.0154 1960 hpqcxs08 - ok

09:48:14.0201 1960 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys

09:48:14.0201 1960 HPZid412 - ok

09:48:14.0201 1960 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

09:48:14.0201 1960 HPZipr12 - ok

09:48:14.0201 1960 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys

09:48:14.0216 1960 HPZius12 - ok

09:48:14.0263 1960 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys

09:48:14.0263 1960 HTTP - ok

09:48:14.0279 1960 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll

09:48:14.0279 1960 HTTPFilter - ok

09:48:14.0279 1960 i2omgmt - ok

09:48:14.0279 1960 i2omp - ok

09:48:14.0295 1960 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys

09:48:14.0295 1960 i8042prt - ok

09:48:14.0388 1960 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

09:48:14.0404 1960 idsvc - ok

09:48:14.0420 1960 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys

09:48:14.0420 1960 Imapi - ok

09:48:14.0451 1960 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe

09:48:14.0451 1960 ImapiService - ok

09:48:14.0466 1960 ini910u - ok

09:48:14.0591 1960 [ 0503EB6F3359E1C6E4C46FEF376405EF ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys

09:48:14.0623 1960 IntcAzAudAddService - ok

09:48:14.0623 1960 IntelIde - ok

09:48:14.0670 1960 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys

09:48:14.0670 1960 ip6fw - ok

09:48:14.0701 1960 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

09:48:14.0701 1960 IpFilterDriver - ok

09:48:14.0701 1960 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys

09:48:14.0701 1960 IpInIp - ok

09:48:14.0732 1960 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys

09:48:14.0732 1960 IpNat - ok

09:48:14.0732 1960 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys

09:48:14.0732 1960 IPSec - ok

09:48:14.0748 1960 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys

09:48:14.0763 1960 IRENUM - ok

09:48:14.0779 1960 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys

09:48:14.0779 1960 isapnp - ok

09:48:14.0826 1960 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys

09:48:14.0826 1960 Kbdclass - ok

09:48:14.0826 1960 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys

09:48:14.0826 1960 kbdhid - ok

09:48:14.0873 1960 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys

09:48:14.0873 1960 kmixer - ok

09:48:14.0920 1960 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys

09:48:14.0920 1960 KSecDD - ok

09:48:14.0966 1960 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll

09:48:14.0966 1960 lanmanserver - ok

09:48:15.0013 1960 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll

09:48:15.0029 1960 lanmanworkstation - ok

09:48:15.0029 1960 lbrtfdc - ok

09:48:15.0076 1960 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll

09:48:15.0076 1960 LmHosts - ok

09:48:15.0123 1960 [ 500D089CE760D83DA2B6CBA681AA9949 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys

09:48:15.0123 1960 MBAMProtector - ok

09:48:15.0154 1960 [ 85B16A92B117A5A800032ECD904B86DB ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

09:48:15.0154 1960 MBAMScheduler - ok

09:48:15.0185 1960 [ 20E2469DB709FC675E655CEAA11BE312 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

09:48:15.0185 1960 MBAMService - ok

09:48:15.0216 1960 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll

09:48:15.0216 1960 Messenger - ok

09:48:15.0248 1960 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys

09:48:15.0248 1960 mnmdd - ok

09:48:15.0279 1960 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe

09:48:15.0279 1960 mnmsrvc - ok

09:48:15.0310 1960 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys

09:48:15.0326 1960 Modem - ok

09:48:15.0341 1960 [ C7D9F9717916B34C1B00DD4834AF485C ] Monfilt C:\WINDOWS\system32\drivers\Monfilt.sys

09:48:15.0373 1960 Monfilt - ok

09:48:15.0404 1960 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys

09:48:15.0404 1960 Mouclass - ok

09:48:15.0451 1960 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys

09:48:15.0451 1960 mouhid - ok

09:48:15.0451 1960 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys

09:48:15.0451 1960 MountMgr - ok

09:48:15.0482 1960 [ 8C7336950F1E69CDFD811CBBD9CF00A2 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

09:48:15.0482 1960 MozillaMaintenance - ok

09:48:15.0498 1960 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys

09:48:15.0498 1960 MpFilter - ok

09:48:15.0498 1960 mraid35x - ok

09:48:15.0529 1960 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys

09:48:15.0529 1960 MRxDAV - ok

09:48:15.0560 1960 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

09:48:15.0576 1960 MRxSmb - ok

09:48:15.0623 1960 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe

09:48:15.0623 1960 MSDTC - ok

09:48:15.0623 1960 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys

09:48:15.0623 1960 Msfs - ok

09:48:15.0623 1960 MSIServer - ok

09:48:15.0670 1960 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys

09:48:15.0670 1960 MSKSSRV - ok

09:48:15.0716 1960 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe

09:48:15.0716 1960 MsMpSvc - ok

09:48:15.0732 1960 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys

09:48:15.0732 1960 MSPCLOCK - ok

09:48:15.0732 1960 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys

09:48:15.0748 1960 MSPQM - ok

09:48:15.0763 1960 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys

09:48:15.0779 1960 mssmbios - ok

09:48:15.0795 1960 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys

09:48:15.0795 1960 Mup - ok

09:48:15.0826 1960 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll

09:48:15.0826 1960 napagent - ok

09:48:15.0857 1960 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys

09:48:15.0857 1960 NDIS - ok

09:48:15.0904 1960 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys

09:48:15.0904 1960 NdisTapi - ok

09:48:15.0904 1960 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys

09:48:15.0904 1960 Ndisuio - ok

09:48:15.0904 1960 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys

09:48:15.0920 1960 NdisWan - ok

09:48:15.0966 1960 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys

09:48:15.0966 1960 NDProxy - ok

09:48:15.0966 1960 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys

09:48:15.0966 1960 NetBIOS - ok

09:48:15.0998 1960 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys

09:48:15.0998 1960 NetBT - ok

09:48:16.0029 1960 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe

09:48:16.0045 1960 NetDDE - ok

09:48:16.0045 1960 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe

09:48:16.0045 1960 NetDDEdsdm - ok

09:48:16.0076 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe

09:48:16.0076 1960 Netlogon - ok

09:48:16.0138 1960 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll

09:48:16.0138 1960 Netman - ok

09:48:16.0185 1960 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

09:48:16.0201 1960 NetTcpPortSharing - ok

09:48:16.0216 1960 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll

09:48:16.0216 1960 Nla - ok

09:48:16.0216 1960 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys

09:48:16.0216 1960 Npfs - ok

09:48:16.0232 1960 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys

09:48:16.0248 1960 Ntfs - ok

09:48:16.0248 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe

09:48:16.0248 1960 NtLmSsp - ok

09:48:16.0279 1960 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll

09:48:16.0279 1960 NtmsSvc - ok

09:48:16.0310 1960 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys

09:48:16.0310 1960 Null - ok

09:48:16.0529 1960 [ 4B54DCD6ADEE535DF80F07C59DDD8F14 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

09:48:16.0716 1960 nv - ok

09:48:16.0763 1960 [ C61927D27B75ED56723F2508F1A6B1BE ] NVENETFD C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

09:48:16.0763 1960 NVENETFD - ok

09:48:16.0763 1960 [ 52DCE3B30C9D61C8E20FE3C6DA4BDFB7 ] nvgts C:\WINDOWS\system32\DRIVERS\nvgts.sys

09:48:16.0763 1960 nvgts - ok

09:48:16.0810 1960 [ 6A839AC21ECDE8945D52007152F2695E ] NVHDA C:\WINDOWS\system32\drivers\nvhda32.sys

09:48:16.0810 1960 NVHDA - ok

09:48:16.0826 1960 [ C529B614EF88BE0F62B886C67B516550 ] nvnetbus C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

09:48:16.0826 1960 nvnetbus - ok

09:48:16.0826 1960 [ 0573C75A2895D973EA6EF2495620BA49 ] NVSvc C:\WINDOWS\system32\nvsvc32.exe

09:48:16.0841 1960 NVSvc - ok

09:48:16.0873 1960 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

09:48:16.0873 1960 NwlnkFlt - ok

09:48:16.0873 1960 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

09:48:16.0873 1960 NwlnkFwd - ok

09:48:16.0935 1960 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

09:48:16.0935 1960 ose - ok

09:48:16.0966 1960 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys

09:48:16.0966 1960 Parport - ok

09:48:16.0998 1960 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys

09:48:16.0998 1960 PartMgr - ok

09:48:17.0029 1960 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys

09:48:17.0029 1960 ParVdm - ok

09:48:17.0045 1960 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys

09:48:17.0045 1960 PCI - ok

09:48:17.0045 1960 PCIDump - ok

09:48:17.0045 1960 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys

09:48:17.0045 1960 PCIIde - ok

09:48:17.0076 1960 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys

09:48:17.0076 1960 Pcmcia - ok

09:48:17.0076 1960 PDCOMP - ok

09:48:17.0076 1960 PDFRAME - ok

09:48:17.0091 1960 PDRELI - ok

09:48:17.0091 1960 PDRFRAME - ok

09:48:17.0107 1960 perc2 - ok

09:48:17.0107 1960 perc2hib - ok

09:48:17.0154 1960 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe

09:48:17.0154 1960 PlugPlay - ok

09:48:17.0154 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe

09:48:17.0154 1960 PolicyAgent - ok

09:48:17.0185 1960 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys

09:48:17.0201 1960 PptpMiniport - ok

09:48:17.0201 1960 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys

09:48:17.0201 1960 Processor - ok

09:48:17.0201 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe

09:48:17.0201 1960 ProtectedStorage - ok

09:48:17.0201 1960 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys

09:48:17.0201 1960 PSched - ok

09:48:17.0232 1960 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys

09:48:17.0232 1960 Ptilink - ok

09:48:17.0232 1960 ql1080 - ok

09:48:17.0232 1960 Ql10wnt - ok

09:48:17.0248 1960 ql12160 - ok

09:48:17.0248 1960 ql1240 - ok

09:48:17.0248 1960 ql1280 - ok

09:48:17.0279 1960 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys

09:48:17.0279 1960 RasAcd - ok

09:48:17.0326 1960 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll

09:48:17.0326 1960 RasAuto - ok

09:48:17.0341 1960 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

09:48:17.0341 1960 Rasl2tp - ok

09:48:17.0388 1960 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll

09:48:17.0388 1960 RasMan - ok

09:48:17.0388 1960 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys

09:48:17.0388 1960 RasPppoe - ok

09:48:17.0404 1960 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys

09:48:17.0404 1960 Raspti - ok

09:48:17.0404 1960 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys

09:48:17.0404 1960 Rdbss - ok

09:48:17.0404 1960 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

09:48:17.0404 1960 RDPCDD - ok

09:48:17.0435 1960 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys

09:48:17.0435 1960 rdpdr - ok

09:48:17.0466 1960 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys

09:48:17.0466 1960 RDPWD - ok

09:48:17.0482 1960 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe

09:48:17.0482 1960 RDSessMgr - ok

09:48:17.0513 1960 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys

09:48:17.0513 1960 redbook - ok

09:48:17.0529 1960 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll

09:48:17.0529 1960 RemoteAccess - ok

09:48:17.0560 1960 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll

09:48:17.0560 1960 RemoteRegistry - ok

09:48:17.0560 1960 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe

09:48:17.0560 1960 RpcLocator - ok

09:48:17.0576 1960 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll

09:48:17.0591 1960 RpcSs - ok

09:48:17.0607 1960 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe

09:48:17.0623 1960 RSVP - ok

09:48:17.0654 1960 [ 581E74880AEB1DBA1CB5AC8E6E6C0A69 ] RT61 C:\WINDOWS\system32\DRIVERS\RT61.sys

09:48:17.0654 1960 RT61 - ok

09:48:17.0685 1960 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe

09:48:17.0685 1960 SamSs - ok

09:48:17.0685 1960 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe

09:48:17.0685 1960 SCardSvr - ok

09:48:17.0685 1960 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll

09:48:17.0701 1960 Schedule - ok

09:48:17.0732 1960 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys

09:48:17.0732 1960 Secdrv - ok

09:48:17.0732 1960 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll

09:48:17.0732 1960 seclogon - ok

09:48:17.0732 1960 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll

09:48:17.0732 1960 SENS - ok

09:48:17.0748 1960 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys

09:48:17.0763 1960 serenum - ok

09:48:17.0763 1960 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys

09:48:17.0763 1960 Serial - ok

09:48:17.0795 1960 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys

09:48:17.0795 1960 Sfloppy - ok

09:48:17.0841 1960 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll

09:48:17.0841 1960 SharedAccess - ok

09:48:17.0857 1960 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll

09:48:17.0857 1960 ShellHWDetection - ok

09:48:17.0857 1960 Simbad - ok

09:48:17.0857 1960 Sparrow - ok

09:48:17.0904 1960 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys

09:48:17.0904 1960 splitter - ok

09:48:17.0935 1960 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe

09:48:17.0935 1960 Spooler - ok

09:48:17.0966 1960 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys

09:48:17.0966 1960 sr - ok

09:48:17.0966 1960 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll

09:48:17.0966 1960 srservice - ok

09:48:18.0013 1960 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys

09:48:18.0013 1960 Srv - ok

09:48:18.0029 1960 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll

09:48:18.0029 1960 SSDPSRV - ok

09:48:18.0045 1960 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll

09:48:18.0045 1960 stisvc - ok

09:48:18.0076 1960 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys

09:48:18.0076 1960 swenum - ok

09:48:18.0091 1960 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys

09:48:18.0091 1960 swmidi - ok

09:48:18.0091 1960 SwPrv - ok

09:48:18.0107 1960 symc810 - ok

09:48:18.0107 1960 symc8xx - ok

09:48:18.0107 1960 sym_hi - ok

09:48:18.0107 1960 sym_u3 - ok

09:48:18.0123 1960 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys

09:48:18.0123 1960 sysaudio - ok

09:48:18.0138 1960 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe

09:48:18.0138 1960 SysmonLog - ok

09:48:18.0170 1960 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll

09:48:18.0170 1960 TapiSrv - ok

09:48:18.0216 1960 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys

09:48:18.0216 1960 Tcpip - ok

09:48:18.0232 1960 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys

09:48:18.0232 1960 TDPIPE - ok

09:48:18.0263 1960 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys

09:48:18.0263 1960 TDTCP - ok

09:48:18.0263 1960 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys

09:48:18.0279 1960 TermDD - ok

09:48:18.0295 1960 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll

09:48:18.0295 1960 TermService - ok

09:48:18.0310 1960 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll

09:48:18.0310 1960 Themes - ok

09:48:18.0357 1960 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe

09:48:18.0357 1960 TlntSvr - ok

09:48:18.0373 1960 TosIde - ok

09:48:18.0388 1960 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll

09:48:18.0404 1960 TrkWks - ok

09:48:18.0435 1960 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys

09:48:18.0435 1960 Udfs - ok

09:48:18.0435 1960 ultra - ok

09:48:18.0466 1960 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys

09:48:18.0466 1960 Update - ok

09:48:18.0482 1960 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll

09:48:18.0482 1960 upnphost - ok

09:48:18.0498 1960 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe

09:48:18.0513 1960 UPS - ok

09:48:18.0545 1960 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys

09:48:18.0545 1960 usbccgp - ok

09:48:18.0560 1960 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys

09:48:18.0560 1960 usbehci - ok

09:48:18.0591 1960 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys

09:48:18.0607 1960 usbhub - ok

09:48:18.0607 1960 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys

09:48:18.0607 1960 usbohci - ok

09:48:18.0654 1960 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys

09:48:18.0654 1960 usbprint - ok

09:48:18.0685 1960 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys

09:48:18.0685 1960 usbscan - ok

09:48:18.0701 1960 [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

09:48:18.0701 1960 usbstor - ok

09:48:18.0732 1960 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys

09:48:18.0732 1960 VgaSave - ok

09:48:18.0763 1960 ViaIde - ok

09:48:18.0795 1960 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys

09:48:18.0795 1960 VolSnap - ok

09:48:18.0795 1960 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe

09:48:18.0810 1960 VSS - ok

09:48:18.0810 1960 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll

09:48:18.0810 1960 W32Time - ok

09:48:18.0857 1960 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys

09:48:18.0857 1960 Wanarp - ok

09:48:18.0857 1960 WDICA - ok

09:48:18.0873 1960 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys

09:48:18.0873 1960 wdmaud - ok

09:48:18.0888 1960 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll

09:48:18.0888 1960 WebClient - ok

09:48:18.0966 1960 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll

09:48:18.0982 1960 winmgmt - ok

09:48:19.0013 1960 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll

09:48:19.0013 1960 WmdmPmSN - ok

09:48:19.0029 1960 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll

09:48:19.0045 1960 Wmi - ok

09:48:19.0060 1960 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe

09:48:19.0060 1960 WmiApSrv - ok

09:48:19.0154 1960 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe

09:48:19.0170 1960 WMPNetworkSvc - ok

09:48:19.0216 1960 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

09:48:19.0216 1960 WPFFontCache_v0400 - ok

09:48:19.0263 1960 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys

09:48:19.0263 1960 WS2IFSL - ok

09:48:19.0310 1960 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll

09:48:19.0310 1960 wscsvc - ok

09:48:19.0326 1960 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll

09:48:19.0326 1960 wuauserv - ok

09:48:19.0341 1960 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys

09:48:19.0357 1960 WudfPf - ok

09:48:19.0357 1960 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys

09:48:19.0373 1960 WudfRd - ok

09:48:19.0373 1960 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll

09:48:19.0388 1960 WudfSvc - ok

09:48:19.0420 1960 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll

09:48:19.0435 1960 WZCSVC - ok

09:48:19.0451 1960 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll

09:48:19.0466 1960 xmlprov - ok

09:48:19.0466 1960 ================ Scan global ===============================

09:48:19.0498 1960 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll

09:48:19.0545 1960 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll

09:48:19.0560 1960 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll

09:48:19.0560 1960 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe

09:48:19.0576 1960 [Global] - ok

09:48:19.0576 1960 ================ Scan MBR ==================================

09:48:19.0591 1960 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0

09:48:19.0748 1960 \Device\Harddisk0\DR0 - ok

09:48:19.0748 1960 ================ Scan VBR ==================================

09:48:19.0748 1960 [ CB8236C74349282F7A3150DC09BB2861 ] \Device\Harddisk0\DR0\Partition1

09:48:19.0748 1960 \Device\Harddisk0\DR0\Partition1 - ok

09:48:19.0748 1960 ============================================================

09:48:19.0748 1960 Scan finished

09:48:19.0748 1960 ============================================================

09:48:19.0763 0856 Detected object count: 0

09:48:19.0763 0856 Actual detected object count: 0

09:48:57.0935 3236 Deinitialize success

---

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2012-12-21 16:52:51

-----------------------------

16:52:51.812 OS Version: Windows 5.1.2600 Service Pack 3

16:52:51.812 Number of processors: 2 586 0x603

16:52:51.812 ComputerName: HAYSEEDHOMEBASE UserName: Tom

16:52:52.812 Initialize success

16:53:06.859 AVAST engine defs: 12122101

16:53:13.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port0Path0Target0Lun0

16:53:13.203 Disk 0 Vendor: ST350041 JC45 Size: 476940MB BusType: 3

16:53:13.218 Disk 0 MBR read successfully

16:53:13.218 Disk 0 MBR scan

16:53:13.234 Disk 0 Windows XP default MBR code

16:53:13.234 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63

16:53:13.234 Disk 0 scanning sectors +976752000

16:53:13.296 Disk 0 scanning C:\WINDOWS\system32\drivers

16:53:20.156 Service scanning

16:53:34.265 Modules scanning

16:53:38.296 Disk 0 trace - called modules:

16:53:38.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys

16:53:38.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a85b030]

16:53:38.812 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000062[0x8a8ac630]

16:53:38.812 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port0Path0Target0Lun0[0x8a8ab030]

16:53:48.625 AVAST engine scan C:\WINDOWS

16:54:09.968 AVAST engine scan C:\WINDOWS\system32

16:56:37.828 AVAST engine scan C:\WINDOWS\system32\drivers

16:56:59.359 AVAST engine scan C:\Documents and Settings\Tom

17:22:48.125 AVAST engine scan C:\Documents and Settings\All Users

17:28:48.671 File: C:\Documents and Settings\All Users\Documents\Ham Radio\New Folder (2)\VXO\fast__auto.exe **INFECTED** Win32:Dropper-gen [Drp]

17:34:58.062 Scan finished successfully

18:56:57.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tom\Desktop\MBR.dat"

18:56:57.984 The log file has been saved successfully to "C:\Documents and Settings\Tom\Desktop\aswMBR.txt"

Thanks,

Tom

Link to post
Share on other sites

  • Staff

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

Okay, I'm back. Before I paste the OTL report, I wanted to ask you if there was anything I should be doing with: 17:28:48.671 File: C:\Documents and Settings\All Users\Documents\Ham Radio\New Folder (2)\VXO\fast__auto.exe **INFECTED** Win32:Dropper-gen [Drp]. This was shown in the aswMBR report checked and this file appeared at roughly the same time as this problem started.

I had a BSOD crash since we last corresponded as well.

Here is the report file:

OTL logfile created on: 12/23/2012 9:05:14 AM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Tom\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.50 Gb Total Physical Memory | 1.87 Gb Available Physical Memory | 74.71% Memory free

4.34 Gb Paging File | 3.91 Gb Available in Paging File | 90.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 414.25 Gb Free Space | 88.94% Space Free | Partition Type: NTFS

Drive D: | 82.44 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: HAYSEEDHOMEBASE | User Name: Tom | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Tom\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)

PRC - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)

PRC - C:\Program Files\Mozilla Thunderbird\thunderbird.exe (Mozilla Messaging)

PRC - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE (SEIKO EPSON CORPORATION)

PRC - C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe (RingCentral, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Calibrize\CalibrizeResume.exe (Eberhard Werle)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Thunderbird\nsldappr32v60.dll ()

MOD - C:\Program Files\Mozilla Thunderbird\nsldap32v60.dll ()

MOD - C:\Program Files\Mozilla Thunderbird\mozjs.dll ()

========== Services (SafeList) ==========

SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)

SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)

SRV - (Hamachi2Svc) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (LogMeIn Inc.)

SRV - (EPSON_PM_RPCV4_05) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE (SEIKO EPSON CORPORATION)

========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found

DRV - (PDRFRAME) -- File not found

DRV - (PDRELI) -- File not found

DRV - (PDFRAME) -- File not found

DRV - (PDCOMP) -- File not found

DRV - (PCIDump) -- File not found

DRV - (lbrtfdc) -- File not found

DRV - (i2omgmt) -- File not found

DRV - (dcubamvg) -- C:\WINDOWS\system32\drivers\dcubamvg.sys File not found

DRV - (Changer) -- File not found

DRV - (catchme) -- C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys File not found

DRV - (adfs) -- File not found

DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)

DRV - (BCMH43XX) -- C:\WINDOWS\system32\drivers\bcmwlhigh5.sys (Broadcom Corporation)

DRV - (NVHDA) -- C:\WINDOWS\system32\drivers\nvhda32.sys (NVIDIA Corporation)

DRV - (dtsoftbus01) -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys (DT Soft Ltd)

DRV - (IntcAzAudAddService) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (nvgts) -- C:\WINDOWS\system32\drivers\nvgts.sys (NVIDIA Corporation)

DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)

DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)

DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)

DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)

DRV - (hamachi) -- C:\WINDOWS\system32\drivers\hamachi.sys (LogMeIn, Inc.)

DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..\SearchScopes\{8E02D41C-5924-4816-9490-33CCD28BEB72}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}

IE - HKU\S-1-5-21-842925246-2147255891-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "about:home"

FF - prefs.js..extensions.enabledAddons: %7BCAFEEFAC-0016-0000-0033-ABCDEFFEDCBA%7D:6.0.33

FF - prefs.js..extensions.enabledAddons: %7BCAFEEFAC-0016-0000-0035-ABCDEFFEDCBA%7D:6.0.35

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1

FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.5

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {ab91efd4-6975-4081-8552-1b3922ed79e2}:1.0.5.1

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/05/27 13:59:25 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/04 23:53:53 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/04 23:53:33 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/12/17 11:37:57 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/05/27 13:59:25 | 000,000,000 | ---D | M]

[2011/05/28 07:13:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Extensions

[2011/05/23 12:20:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2012/12/13 12:32:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions

[2012/12/13 12:32:03 | 002,151,598 | ---- | M] () (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions\firebug@software.joehewitt.com.xpi

[2012/11/23 10:40:14 | 000,804,627 | ---- | M] () (No name found) -- C:\Documents and Settings\Tom\Application Data\Mozilla\Firefox\Profiles\ouwelwuc.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[2012/12/04 23:53:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2012/12/04 23:53:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}

[2012/12/04 23:53:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}

[2012/12/04 23:53:53 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011/03/21 07:22:04 | 001,680,272 | ---- | M] (Caminova, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll

[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll

[2012/08/31 07:25:27 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2012/10/11 20:14:13 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://websearch.mocaflix.com/

CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.2_0\

CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\

CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\

CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\

CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

CHR - Extension: No name found = C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.4_0\

O1 HOSTS File: ([2012/12/20 19:16:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found

O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)

O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [bifröst II on HAYSEEDHOMEBASE (from HAYSEEDMOBILE)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIHEA.EXE (SEIKO EPSON CORPORATION)

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [CalibrizeResume] C:\Program Files\Calibrize\CalibrizeResume.exe (Eberhard Werle)

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [CGFLoader] C:\Program Files\Calibrize\CalibrizeLoader.exe (Colorjinn)

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [Flashpaste] C:\Program Files\Flashpaste\Flashpaste.exe ()

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [Radio365Agent] C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe (Live365)

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [RCHotKey] C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe (RingCentral, Inc.)

O4 - HKU\S-1-5-21-842925246-2147255891-682003330-1003..\Run: [RCUI] C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe (RingCentral, Inc.)

O4 - Startup: C:\Documents and Settings\Tom\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe (SourceForge.net)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O15 - HKU\S-1-5-21-842925246-2147255891-682003330-1003\..Trusted Domains: localhost ([]* in Local intranet)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6D82F982-3361-4870-9184-3A24BA5DD021}: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FE74D0E6-CA2A-403F-BC85-562B2EC95D2A}: DhcpNameServer = 192.168.1.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2011/05/23 00:52:54 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2008/02/22 10:43:08 | 000,358,248 | R--- | M] (NETGEAR Inc.) - D:\Autorun.exe -- [ CDFS ]

O32 - AutoRun File - [2006/05/29 18:27:40 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/23 08:59:36 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe

[2012/12/21 09:59:46 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Tom\Desktop\aswMBR.exe

[2012/12/21 09:42:08 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Tom\Desktop\tdsskiller(1).exe

[2012/12/20 19:18:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2012/12/20 19:10:55 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2012/12/20 19:09:24 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2012/12/20 19:09:24 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2012/12/20 19:09:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2012/12/20 19:09:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2012/12/20 19:09:05 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/12/20 19:08:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt

[2012/12/20 19:05:17 | 005,012,825 | R--- | C] (Swearware) -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe

[2012/12/20 15:21:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Desktop\RK_Quarantine

[2012/12/20 12:14:44 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Tom\Desktop\HijackThis.exe

[2012/12/19 09:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Upconverter

[2012/12/18 13:10:21 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2012/12/14 16:20:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Local Settings\Application Data\Deployment

[2012/12/12 12:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom\Application Data\Malwarebytes

[2012/12/12 12:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/12/12 12:15:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2012/12/12 12:15:34 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/12/12 12:15:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/12/11 12:18:04 | 001,034,240 | ---- | C] (Broadcom Corporation) -- C:\WINDOWS\System32\drivers\bcmwlhigh5.sys

[2012/12/11 12:18:01 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ATL71.DLL

[2012/12/10 04:45:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Cart32

[2012/12/04 23:53:02 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/12/23 08:59:36 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom\Desktop\OTL.exe

[2012/12/23 08:54:00 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\WpsUpdateTask_Tom.job

[2012/12/23 08:52:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job

[2012/12/23 03:23:51 | 000,492,614 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/12/23 03:23:51 | 000,083,262 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/12/23 03:20:02 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/12/23 03:19:54 | 000,000,374 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics

[2012/12/23 03:19:50 | 003,798,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2012/12/23 03:19:42 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\Wnorzxwzl.job

[2012/12/23 03:19:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/12/23 02:00:00 | 000,000,338 | ---- | M] () -- C:\WINDOWS\tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job

[2012/12/22 23:52:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job

[2012/12/21 21:35:06 | 000,018,505 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\crash2.jpg

[2012/12/21 21:34:48 | 000,053,769 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\crash.jpg

[2012/12/21 18:56:57 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\MBR.dat

[2012/12/21 16:34:54 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Settings.cfg

[2012/12/21 16:13:25 | 000,030,649 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\forecast.jpg

[2012/12/21 09:59:47 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Tom\Desktop\aswMBR.exe

[2012/12/21 09:42:13 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Tom\Desktop\tdsskiller(1).exe

[2012/12/20 19:16:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2012/12/20 19:10:59 | 000,000,313 | RHS- | M] () -- C:\boot.ini

[2012/12/20 19:05:30 | 005,012,825 | R--- | M] (Swearware) -- C:\Documents and Settings\Tom\Desktop\ComboFix.exe

[2012/12/20 16:36:13 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/12/20 15:20:20 | 000,756,224 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\RogueKiller.exe

[2012/12/20 15:07:22 | 000,547,175 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\AdwCleaner.exe

[2012/12/20 15:02:41 | 000,856,731 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\SecurityCheck(1).exe

[2012/12/20 12:14:44 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Tom\Desktop\HijackThis.exe

[2012/12/18 13:14:11 | 000,001,808 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[2012/12/17 11:37:59 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk

[2012/12/17 11:37:59 | 000,001,668 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk

[2012/12/16 09:09:14 | 000,001,495 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\restore.vbs

[2012/12/16 06:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll

[2012/12/16 06:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll

[2012/12/16 06:20:34 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2012/12/15 09:20:18 | 000,135,168 | RHS- | M] () -- C:\WINDOWS\System32\lfjbguw.dll

[2012/12/12 21:54:14 | 000,002,268 | ---- | M] () -- C:\Documents and Settings\Tom\Desktop\Google Chrome.lnk

[2012/12/12 12:15:41 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/12/12 03:16:31 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2012/12/12 03:16:31 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2012/12/10 23:59:54 | 000,159,476 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\HazardFraught2ndtry.jpg

[2012/12/10 23:54:05 | 000,159,476 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\HazardFraught.jpg

[2012/12/10 11:21:26 | 000,030,878 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\flag2.jpg

[2012/12/10 11:20:03 | 000,032,156 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\flag1.jpg

[2012/12/05 12:05:50 | 000,001,056 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Kingsoft Spreadsheets.lnk

[2012/11/28 05:45:58 | 000,111,812 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\Farland, Tom and Julia 2012-2013 Lease.pdf

[2012/11/23 15:04:21 | 000,027,993 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\idwd.jpg

[2012/11/23 14:45:24 | 000,006,660 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\ilike.jpg

[2012/11/23 14:36:26 | 000,070,240 | ---- | M] () -- C:\Documents and Settings\Tom\My Documents\hillary-clinton-dejected.jpg

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/21 21:35:06 | 000,018,505 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\crash2.jpg

[2012/12/21 21:34:48 | 000,053,769 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\crash.jpg

[2012/12/21 18:56:57 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\MBR.dat

[2012/12/21 13:33:47 | 000,030,649 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\forecast.jpg

[2012/12/20 19:10:59 | 000,000,197 | ---- | C] () -- C:\Boot.bak

[2012/12/20 19:10:56 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2012/12/20 19:09:24 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2012/12/20 19:09:24 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2012/12/20 19:09:24 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2012/12/20 19:09:24 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2012/12/20 19:09:24 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2012/12/20 15:20:13 | 000,756,224 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\RogueKiller.exe

[2012/12/20 15:07:22 | 000,547,175 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\AdwCleaner.exe

[2012/12/20 15:02:41 | 000,856,731 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\SecurityCheck(1).exe

[2012/12/17 11:37:59 | 000,001,674 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Thunderbird.lnk

[2012/12/16 09:09:14 | 000,001,495 | ---- | C] () -- C:\Documents and Settings\Tom\Desktop\restore.vbs

[2012/12/16 06:21:35 | 000,201,448 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2012/12/15 09:20:18 | 000,135,168 | RHS- | C] () -- C:\WINDOWS\System32\lfjbguw.dll

[2012/12/15 09:20:18 | 000,000,308 | ---- | C] () -- C:\WINDOWS\tasks\Wnorzxwzl.job

[2012/12/12 12:15:41 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/12/10 23:59:54 | 000,159,476 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\HazardFraught2ndtry.jpg

[2012/12/10 23:54:05 | 000,159,476 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\HazardFraught.jpg

[2012/12/10 11:20:30 | 000,030,878 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\flag2.jpg

[2012/12/10 11:20:03 | 000,032,156 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\flag1.jpg

[2012/11/23 15:04:21 | 000,027,993 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\idwd.jpg

[2012/11/23 14:45:24 | 000,006,660 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\ilike.jpg

[2012/11/23 14:36:25 | 000,070,240 | ---- | C] () -- C:\Documents and Settings\Tom\My Documents\hillary-clinton-dejected.jpg

[2012/10/05 10:59:25 | 000,048,076 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2012/07/31 15:08:44 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\Adobe BMP Format CS5 Prefs

[2012/07/21 08:21:07 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc

[2012/07/03 13:51:54 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\Adobe GIF Format CS5 Prefs

[2012/02/15 11:53:06 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/01/11 15:25:47 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini

[2011/10/15 05:31:00 | 000,002,290 | ---- | C] () -- C:\WINDOWS\DigiPan.INI

[2011/09/03 07:23:18 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2011/08/12 17:57:27 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat.temp

[2011/07/03 17:55:50 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2011/07/03 17:55:50 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2011/07/03 17:55:50 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin

[2011/07/03 17:55:32 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data

[2011/06/08 20:14:17 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/06/01 18:44:11 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\Tom\Application Data\Settings.cfg

[2011/05/30 07:04:32 | 000,059,952 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE

[2011/05/27 15:41:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2011/05/27 13:56:27 | 000,207,292 | ---- | C] () -- C:\WINDOWS\hpwins28.dat

[2011/05/27 13:56:27 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat

[2011/05/26 20:30:13 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Tom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/05/23 12:20:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2011/05/23 08:45:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2011/05/23 08:45:34 | 003,798,992 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2011/05/23 01:57:19 | 000,010,084 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin

[2011/05/23 00:53:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2011/05/23 00:52:01 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

========== ZeroAccess Check ==========

[2012/01/11 15:21:09 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shdocvw.dll -- [2011/02/17 07:51:57 | 001,510,400 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 04:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

< End of report >

Link to post
Share on other sites

  • Staff

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box. Do not include the word Code

    :OTL
    FF - user.js - File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
    [2012/12/15 09:20:18 | 000,135,168 | RHS- | M] () -- C:\WINDOWS\System32\lfjbguw.dll
    [2012/12/15 09:20:18 | 000,000,308 | ---- | C] () -- C:\WINDOWS\tasks\Wnorzxwzl.job
    :Files
    ipconfig /flushdns /c

    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

Link to post
Share on other sites

Regarding search engine link hijack - I was unable to find the text report in notepad, however I tested Google, Yahoo Search, and Bing. All three search engines are working normally now and the links on their pages are no longer being hijacked and linked to other search engines or websites. At this point, it appears that the problem has been fixed.

-Tom

Link to post
Share on other sites

Oops - the search engines are working normally now except when I use the search box in the middle of the Thunderbird start page. It takes me to Genieo. I changed my home page to Bing, so that is no longer a problem, but I don't know how Genieo got there, and nothing shows up in "Add or Uninstall Software" (in Control Panel) that I can uninstall. Is this part of the same problem and how should I proceed regarding this?

Also, can I turn on the Windows Security Essentials real-time protection now?

Thanks,

Tom

Link to post
Share on other sites

  • Staff

Hello

I want you to try this for firefox and give me a quick update to how things are

I want you to reset firefox back to defaults, to do this I need you to do this

  • At the top of the Firefox window, click the "Firefox" button,
  • go over to the "Help" sub-menu
    • (on Windows XP, click the Help menu at the top of the Firefox window) and select "Troubleshooting Information".

[*]Click the "Reset Firefox" button in the upper-right corner of the Troubleshooting Information page.

[*]click "Reset Firefox" in the confirmation window that opens.

[*]Firefox will close and be reset. When it's done. Click "Finish" and Firefox will open.

restart the computer and check firefox for me now

Gringo

Link to post
Share on other sites

  • Staff

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

After Combofix, I'm still doing fine - not having any problems with search engine re-directs. Lost a Thunderbird extension, maybe two (Ad Blocker Plus with Fanboy's list) but reinstalled with no problems. Have restarted Microsoft Security Essentials.

Reinstalled Carbonite, connectivity problem there is now gone. NOTE: I have put Carbonite on pause, as I wanted to ask you if there was the possibility that the virus might be in my on-line back-up, too?

Here is the log from cf:

ComboFix 12-12-20.02 - Tom 12/26/2012 19:52:15.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1952 [GMT -6:00]

Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\drivers\etc\hosts.ics

.

.

((((((((((((((((((((((((( Files Created from 2012-11-27 to 2012-12-27 )))))))))))))))))))))))))))))))

.

.

2012-12-27 01:50 . 2012-12-27 01:50 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CEFF535-8B9B-48F4-9966-E12B9DD78126}\MpKsl8f60d92d.sys

2012-12-26 17:20 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CEFF535-8B9B-48F4-9966-E12B9DD78126}\mpengine.dll

2012-12-26 08:06 . 2012-12-26 08:06 -------- d-----w- C:\_OTL

2012-12-18 19:44 . 2012-12-18 19:44 -------- d-----w- c:\documents and settings\Administrator.HAYSEEDHOMEBASE

2012-12-18 19:10 . 2012-12-18 19:10 -------- d-----w- C:\TDSSKiller_Quarantine

2012-12-14 23:19 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-12-14 22:20 . 2012-12-14 22:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Deployment

2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\Tom\Application Data\Malwarebytes

2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-12-12 18:15 . 2012-12-12 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-12-12 18:15 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-11 18:18 . 2011-12-12 23:43 1034240 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys

2012-12-11 18:18 . 2010-02-03 17:21 89088 ----a-w- c:\windows\system32\ATL71.DLL

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 12:23 . 2003-03-31 07:00 290560 ----a-w- c:\windows\system32\atmfd.dll

2012-12-12 09:16 . 2012-04-15 01:39 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-12 09:16 . 2011-05-29 02:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-13 01:25 . 2003-03-31 07:00 1866368 ----a-w- c:\windows\system32\win32k.sys

2012-11-02 02:02 . 2003-03-31 07:00 375296 ----a-w- c:\windows\system32\dpnet.dll

2012-11-01 12:17 . 2003-03-31 07:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-11-01 12:17 . 2003-03-31 07:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-11-01 12:17 . 2003-03-31 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-11-01 00:35 . 2011-05-23 07:33 385024 ------w- c:\windows\system32\html.iec

2012-10-02 18:04 . 2003-03-31 07:00 58368 ----a-w- c:\windows\system32\synceng.dll

2012-12-05 05:53 . 2012-12-05 05:53 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Radio365Agent"="c:\program files\Live365\Radio365\Radio365TrayAgent.exe" [2011-04-13 1003520]

"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2010-11-23 500992]

"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2010-11-23 38144]

"Flashpaste"="c:\program files\Flashpaste\flashpaste.exe" [2011-04-17 643584]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]

"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]

"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2010-11-02 19580520]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-10-08 203072]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-08-29 1061960]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\Tom\Start Menu\Programs\Startup\

Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-4-29 1699840]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Adobe Download Assistant\\Adobe Download Assistant.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\\Program Files\\LogMeIn Hamachi\\hamachi-2-ui.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [5/27/2011 3:28 PM 218688]

R1 MpKsl8f60d92d;MpKsl8f60d92d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CEFF535-8B9B-48F4-9966-E12B9DD78126}\MpKsl8f60d92d.sys [12/26/2012 7:50 PM 29904]

R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [4/9/2012 12:36 PM 125440]

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2/28/2012 4:38 PM 1373576]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [12/12/2012 12:15 PM 399432]

R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [12/11/2012 12:18 PM 1034240]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/12/2012 12:15 PM 22856]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/12/2012 12:15 PM 676936]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/23/2011 1:58 AM 1691480]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL8F60D92D

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-26 c:\windows\Tasks\AdobeAAMUpdater-1.0-HAYSEEDHOMEBASE-Tom.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2012-06-28 22:42]

.

2012-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003Core.job

- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06]

.

2012-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-2147255891-682003330-1003UA.job

- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-23 08:06]

.

2012-12-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25]

.

2012-12-27 c:\windows\Tasks\WpsUpdateTask_Tom.job

- c:\program files\Kingsoft\Kingsoft Spreadsheets\office6\wpsupdate.exe [2011-11-03 16:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\l1rbtjv8.default-1356546181171\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - ExtSQL: 2012-12-04 23:53; {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}

FF - ExtSQL: 2012-12-04 23:53; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}

FF - ExtSQL: !HIDDEN! 2011-05-27 14:59; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-63686105.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-12-26 19:57

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2012-12-26 19:58:49

ComboFix-quarantined-files.txt 2012-12-27 01:58

ComboFix2.txt 2012-12-21 01:18

.

Pre-Run: 444,492,972,032 bytes free

Post-Run: 444,649,738,240 bytes free

.

- - End Of File - - A3995334C4416F09F17B23E05519D308

Link to post
Share on other sites

  • Staff

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

  • Programs to remove

    • Java 6 Update 22
      Java 6 Update 35

Please download and install Revo Uninstaller Free

  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.

.

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.

: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic

"information and logs"

  • In your next post I need the following
  1. Log From MBAM
  2. report from Hijackthis
  3. let me know of any problems you may have had
  4. How is the computer doing now?

Gringo

Link to post
Share on other sites

Hi, Gringo. All is still well. No redirects, no problems. Is it safe to turn on my Carbonite Backup again?

Here are the logs:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2012.12.28.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Tom :: HAYSEEDHOMEBASE [administrator]

12/28/2012 5:35:42 AM

mbam-log-2012-12-28 (05-35-42).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 240290

Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

HiJack This log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:52:44 AM, on 12/28/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe

C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe

C:\Program Files\Calibrize\CalibrizeResume.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Documents and Settings\Tom\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe

C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Documents and Settings\Tom\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start

O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [Radio365Agent] C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe

O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"

O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"

O4 - HKCU\..\Run: [Flashpaste] C:\Program Files\Flashpaste\flashpaste.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [CGFLoader] C:\Program Files\Calibrize\CalibrizeLoader.exe

O4 - HKCU\..\Run: [CalibrizeResume] C:\Program Files\Calibrize\CalibrizeResume.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

O23 - Service: EPSON V3 Service4(05) (EPSON_PM_RPCV4_05) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE

O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 7406 bytes

Link to post
Share on other sites

  • Staff

Hello haysee5

"Is it safe to turn on my Carbonite Backup again?" - yes you can turn it back on now

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional

These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
      O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
      O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
      O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Radio365Agent] C:\Program Files\Live365\Radio365\Radio365TrayAgent.exe
      O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"
      O4 - HKCU\..\Run: [Flashpaste] C:\Program Files\Flashpaste\flashpaste.exe
      O4 - HKCU\..\Run: [CGFLoader] C:\Program Files\Calibrize\CalibrizeLoader.exe
      O4 - HKCU\..\Run: [CalibrizeResume] C:\Program Files\Calibrize\CalibrizeResume.exe
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[*] Close all open windows and browsers/email, etc...

[*] Click on the "Fix Checked" button

[*] When completed, close the application.

  • NOTE**You can research each of those lines
>here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start

    [*]When asked, allow the add/on to be installed

    • Click Start

    [*]Make sure that the option Remove found threats is unticked

    [*]Click on Advanced Settings, ensure the options

    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

    [*]Click Scan

    [*]wait for the virus definitions to be downloaded

    [*]Wait for the scan to finish

When the scan is complete

  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found

  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.