Rudy is infected

RudyH · October 29, 2010

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4982

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/28/2010 8:56:24 PM

mbam-log-2010-10-28 (20-56-24).txt

Scan type: Quick scan

Objects scanned: 151396

Time elapsed: 9 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 21:26 on 28/10/2010 (Rudy)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS (Ver_10-10-21.02) - NTFSx86

Run by Rudy at 21:41:15.06 on Thu 10/28/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1381 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *On-access scanning enabled* (Outdated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Rudy\Local Settings\Temporary Internet Files\Content.IE5\0AXX7G6R\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - No File

BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\rudy\local settings\application data\cyberdefender\cdmyidd.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - No File

TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\rudy\local settings\application data\cyberdefender\cdmyidd.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\versio~1.lnk - c:\windows\installer\{44a26f69-c401-4f38-b739-37fb22686c34}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: secureserver.net\email12

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-23 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-1 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-16 243024]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]

S2 gupdate1cac3f4ed339e20;Google Update Service (gupdate1cac3f4ed339e20);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 133104]

=============== Created Last 30 ================

2010-10-21 02:17:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-10-13 14:19:05 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2010-10-13 14:18:52 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{50f271ef-55b6-45d8-bb6a-8b321a3bb4ac}\mpengine.dll

2010-10-12 21:48:59 -------- d-----w- c:\docume~1\rudy\locals~1\applic~1\Mozilla

2010-10-08 20:13:47 -------- d-----w- c:\docume~1\rudy\locals~1\applic~1\PCHealth

2010-10-08 14:33:53 -------- d-----w- c:\docume~1\rudy\locals~1\applic~1\LogMeIn

2010-10-08 14:33:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\LogMeIn

2010-10-07 19:16:26 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-10-03 14:50:38 -------- d-----w- c:\program files\Angle Interactive

2010-10-03 14:50:35 -------- d-----w- c:\documents and settings\rudy\WINDOWS

2010-10-03 14:49:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-09-30 04:40:29 -------- d-----w- c:\program files\iPod

2010-09-30 04:40:26 -------- d-----w- c:\program files\iTunes

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2010-09-30 04:35:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2010-09-30 04:32:32 -------- d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-09-08 17:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 17:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-08-29 19:07:19 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-08-29 19:07:18 423656 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 21:44:26.59 ===============

GMER 1.0.15.15477 - http://www.gmer.net

Rootkit scan 2010-10-28 22:02:07

Windows 5.1.2600 Service Pack 3

Running: p2h86sfs[1].exe; Driver: C:\DOCUME~1\Rudy\LOCALS~1\Temp\fwdcipow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DB000A

.text C:\WINDOWS\System32\svchost.exe[1472] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DC000A

.text C:\WINDOWS\System32\svchost.exe[1472] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DA000C

.text C:\WINDOWS\System32\svchost.exe[1472] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 008A000A

.text C:\WINDOWS\System32\svchost.exe[1472] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E4000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E4000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 010D000A

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E3000C

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\iexplore.exe[3088] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\WINDOWS\Explorer.EXE[3340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A

.text C:\WINDOWS\Explorer.EXE[3340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A

.text C:\WINDOWS\Explorer.EXE[3340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A4CC999

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A4CC999

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A4CC999

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat 9D3EBD20

Device \FileSystem\Fastfat \Fat 9D403631

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75LAT0___________________02.06M02#5&2e5a1c11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sectors 231496394 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Elise · October 29, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

RudyH · October 30, 2010

Hello Elise,

Thank you for your response and your help.

I am replying to your message from a "clean" computer at work, it is my home machine (a Dell Laptop) that is infected. I have it shut down for the most part lately. It operates through a wireless router at home and also here at work, although it has not been used here at the office lately.

Regarding the questions you asked:

Some of the issues with the infected unit are 1.) It is very slow-probably due to the virus 2.) Searches are redirecte 3.) I have found recently that I am unable to control the wireless connection-When I bring up the wireless I am confronted with a message indicating other software is now in charge of the wireless. Apparently it has been "hijacked." Lord only knows what else is going on.

My home computer is not used for banking and is infrequently used for online shopping. It is mainly used by me for work related activities and I usually use e-mail to transfer files between it and my work computer. Having said that, I do want the laptop to be 100% reliable. In other words, I do ot want to worry every time I visit Ebay or access my PayPal account that somebody is "looking over my shoulder." For that reason I am leaning toward a reformat of the hard drive, but am not sure what that involves. I am not even certain where to obtain software. Maybe you could give me some tips or leads with that.

I did a quick check at home and I was able to find "some" of the Microsoft software (Office). If I'm unable to locate the remaining discs I imagine I will have to replace that as well.

Questions for you:

Will I be able to pull off a reformat and reload of the dos software, given the current circumstances, or would I be better off seeking the help of a professional?

Will I be able to save programs and files currently on the laptop to an external hard drive without having this "pest" following and getting reloaded onto my refurbished system?

I will rely on your expertise in the above matters.

Thanks again for trying to assist me.

I will check in again on Monday when I am back in the office to see if you have responded to this post.

Rudy

Elise · October 31, 2010

Hi Rudy, since this is a Dell computer, it will most likely have a recovery partition. This means that a part of your harddisk contains the data necessary to perform a factory restore.

However, since this rootkit alters the master boot record of the drive, it is possible that your recovery partition may no longer be accessible. For that reason, I recommend to go through with the cleanup for now, and once everything is clean, you can decide what to do.

As for the backdoor, its not like "someone" looks over your shoulder when doing online shopping. However, it is a security vulnerability in Windows that may or may not be exploited by future malware. If you ever get reinfected, that backdoor will make the job of malware a lot easier so to say.

RudyH · November 1, 2010

Hello again, Elise,

I am not certain what you mean by a "factory restore." What does this entail? Is it a process I can do, or am I better off having a professional do this?

I know just enough about computers to be really, really dangerous!

As far as the "cleanup" is concerned, I'm game, that is if you think it is the way to proceed. So what would be the next step?

regards,

Rudy

Elise · November 1, 2010

A factory restore is basically the same as a reformat/reinstall, except that your computer will be restored to the settings it had when you bought it (in a way it is a simpler way, but leaves the user less choice).

Of course its up to you, but for now I'd say to first try to clean up and then see what you want to do: restore or not.

RudyH · November 1, 2010

Elise,

Let's do it. What's the next step for the cleanup?

Regards,

R

Elise · November 1, 2010

See here, proceed with TDSSkiller.

RudyH · November 2, 2010

Elise, If I have done everything correctly the data you wanted to see follows:

2010/11/01 22:32:59.0063 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/11/01 22:32:59.0063 ================================================================================

2010/11/01 22:32:59.0063 SystemInfo:

2010/11/01 22:32:59.0063

2010/11/01 22:32:59.0063 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/01 22:32:59.0063 Product type: Workstation

2010/11/01 22:32:59.0063 ComputerName: RUDYHEMMANN

2010/11/01 22:32:59.0063 UserName: Rudy

2010/11/01 22:32:59.0063 Windows directory: C:\WINDOWS

2010/11/01 22:32:59.0063 System windows directory: C:\WINDOWS

2010/11/01 22:32:59.0063 Processor architecture: Intel x86

2010/11/01 22:32:59.0063 Number of processors: 2

2010/11/01 22:32:59.0063 Page size: 0x1000

2010/11/01 22:32:59.0063 Boot type: Normal boot

2010/11/01 22:32:59.0063 ================================================================================

2010/11/01 22:32:59.0578 Initialize success

2010/11/01 22:33:21.0703 ================================================================================

2010/11/01 22:33:21.0703 Scan started

2010/11/01 22:33:21.0703 Mode: Manual;

2010/11/01 22:33:21.0703 ================================================================================

2010/11/01 22:33:22.0719 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/01 22:33:23.0016 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/01 22:33:23.0188 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/01 22:33:23.0313 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/01 22:33:23.0485 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/01 22:33:23.0672 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/01 22:33:23.0735 AegisP - detected Unsigned file (1)

2010/11/01 22:33:23.0782 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/01 22:33:23.0891 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/01 22:33:24.0032 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/01 22:33:24.0360 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/01 22:33:24.0485 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/01 22:33:24.0625 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/01 22:33:24.0766 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/01 22:33:24.0969 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/01 22:33:25.0110 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/01 22:33:25.0313 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/01 22:33:25.0422 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

2010/11/01 22:33:25.0469 APPDRV - detected Unsigned file (1)

2010/11/01 22:33:25.0516 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/01 22:33:25.0688 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/01 22:33:25.0875 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/01 22:33:25.0985 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/01 22:33:26.0172 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2010/11/01 22:33:26.0219 ASCTRM - detected Unsigned file (1)

2010/11/01 22:33:26.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/01 22:33:26.0469 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/01 22:33:26.0719 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/01 22:33:26.0938 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/01 22:33:27.0141 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys

2010/11/01 22:33:27.0828 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys

2010/11/01 22:33:27.0907 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys

2010/11/01 22:33:27.0969 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2010/11/01 22:33:28.0110 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/01 22:33:28.0360 btaudio (8893ae0b6b9b60e0521a60e8b2160216) C:\WINDOWS\system32\drivers\btaudio.sys

2010/11/01 22:33:28.0438 btaudio - detected Unsigned file (1)

2010/11/01 22:33:28.0469 BTDriver (fde318e3569f57264af74b7e431f60ae) C:\WINDOWS\system32\DRIVERS\btport.sys

2010/11/01 22:33:28.0516 BTDriver - detected Unsigned file (1)

2010/11/01 22:33:28.0578 BTKRNL (9c3c8b9e2eda516eb44b51dab81dbd68) C:\WINDOWS\system32\DRIVERS\btkrnl.sys

2010/11/01 22:33:28.0625 BTKRNL - detected Unsigned file (1)

2010/11/01 22:33:28.0719 BTSERIAL (089f7526ff41c17b0a43896d0553d5a2) C:\WINDOWS\system32\drivers\btserial.sys

2010/11/01 22:33:28.0766 BTSERIAL - detected Unsigned file (1)

2010/11/01 22:33:28.0813 BTWDNDIS (28531ab3183f498e58d93d585e6a6b70) C:\WINDOWS\system32\DRIVERS\btwdndis.sys

2010/11/01 22:33:28.0875 BTWDNDIS - detected Unsigned file (1)

2010/11/01 22:33:29.0000 btwhid (c5c0e21c67089f053b964e0a8b8adbac) C:\WINDOWS\system32\DRIVERS\btwhid.sys

2010/11/01 22:33:29.0110 btwhid - detected Unsigned file (1)

2010/11/01 22:33:29.0125 btwmodem (7d295223c172ab4d61dc256721b2f09e) C:\WINDOWS\system32\DRIVERS\btwmodem.sys

2010/11/01 22:33:29.0172 btwmodem - detected Unsigned file (1)

2010/11/01 22:33:29.0203 BTWUSB (56c701580f2891952761362ba7594b3d) C:\WINDOWS\system32\Drivers\btwusb.sys

2010/11/01 22:33:29.0266 BTWUSB - detected Unsigned file (1)

2010/11/01 22:33:29.0297 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/01 22:33:29.0485 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/01 22:33:29.0641 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/11/01 22:33:29.0797 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/01 22:33:29.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/01 22:33:30.0125 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/01 22:33:30.0860 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/01 22:33:31.0125 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/01 22:33:31.0266 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/01 22:33:31.0375 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/01 22:33:31.0532 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/01 22:33:31.0719 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/01 22:33:31.0907 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/01 22:33:32.0047 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/01 22:33:32.0297 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/01 22:33:32.0500 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/01 22:33:32.0657 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/01 22:33:32.0860 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/01 22:33:33.0063 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/01 22:33:33.0235 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/01 22:33:33.0422 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/11/01 22:33:33.0500 drvmcdb - detected Unsigned file (1)

2010/11/01 22:33:33.0532 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/11/01 22:33:35.0203 drvnddm - detected Unsigned file (1)

2010/11/01 22:33:35.0407 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

2010/11/01 22:33:35.0438 DSproct - detected Unsigned file (1)

2010/11/01 22:33:35.0532 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys

2010/11/01 22:33:35.0594 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/01 22:33:35.0766 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/01 22:33:36.0016 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/01 22:33:36.0188 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys

2010/11/01 22:33:36.0235 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/01 22:33:36.0407 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/01 22:33:36.0610 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/01 22:33:36.0797 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/01 22:33:36.0922 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/01 22:33:37.0110 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/11/01 22:33:37.0188 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/01 22:33:37.0375 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/01 22:33:37.0516 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/01 22:33:37.0688 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/01 22:33:37.0922 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys

2010/11/01 22:33:38.0094 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys

2010/11/01 22:33:38.0203 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/01 22:33:38.0422 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/01 22:33:38.0657 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/01 22:33:38.0844 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/01 22:33:39.0094 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/11/01 22:33:39.0407 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/01 22:33:39.0657 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/01 22:33:39.0813 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/01 22:33:39.0985 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/01 22:33:40.0125 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/01 22:33:40.0297 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/01 22:33:40.0453 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/01 22:33:40.0578 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/01 22:33:40.0782 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/01 22:33:40.0953 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/01 22:33:41.0094 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/01 22:33:41.0266 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/01 22:33:41.0453 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/11/01 22:33:41.0625 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/01 22:33:41.0735 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/01 22:33:41.0907 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys

2010/11/01 22:33:42.0032 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys

2010/11/01 22:33:42.0391 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys

2010/11/01 22:33:42.0860 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/01 22:33:42.0922 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/01 22:33:43.0125 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/01 22:33:43.0250 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/01 22:33:43.0438 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/01 22:33:43.0641 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/01 22:33:43.0891 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

2010/11/01 22:33:43.0969 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/01 22:33:44.0203 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/01 22:33:44.0407 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/01 22:33:44.0563 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/01 22:33:44.0735 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/01 22:33:44.0938 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/01 22:33:45.0141 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/01 22:33:45.0282 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/01 22:33:45.0407 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/11/01 22:33:45.0578 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/01 22:33:45.0750 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/11/01 22:33:45.0953 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/01 22:33:46.0282 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/11/01 22:33:46.0485 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/01 22:33:46.0703 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/01 22:33:46.0828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/01 22:33:47.0016 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/01 22:33:47.0157 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/01 22:33:47.0313 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/01 22:33:47.0563 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/01 22:33:47.0735 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/01 22:33:47.0922 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/01 22:33:48.0125 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/01 22:33:48.0328 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/01 22:33:48.0594 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/01 22:33:48.0782 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/01 22:33:49.0063 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/01 22:33:49.0172 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

2010/11/01 22:33:49.0219 omci - detected Unsigned file (1)

2010/11/01 22:33:49.0266 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/01 22:33:49.0407 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/01 22:33:49.0547 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/01 22:33:49.0672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/01 22:33:49.0828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/01 22:33:50.0016 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/01 22:33:50.0297 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/01 22:33:50.0422 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/01 22:33:50.0578 Point32 (e4910ce9d882bf825979fcf4636a9bd8) C:\WINDOWS\system32\DRIVERS\point32.sys

2010/11/01 22:33:50.0672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/01 22:33:50.0860 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/01 22:33:51.0000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/01 22:33:51.0125 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/01 22:33:51.0172 PxHelp20 - detected Unsigned file (1)

2010/11/01 22:33:51.0219 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/01 22:33:51.0360 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/01 22:33:51.0516 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/01 22:33:51.0657 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/01 22:33:52.0407 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/01 22:33:52.0578 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/01 22:33:52.0750 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/01 22:33:52.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/01 22:33:53.0000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/01 22:33:53.0203 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/01 22:33:53.0391 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/01 22:33:53.0578 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/01 22:33:53.0797 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/01 22:33:53.0953 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/01 22:33:54.0094 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2010/11/01 22:33:54.0141 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2010/11/01 22:33:54.0250 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

2010/11/01 22:33:54.0375 s24trans (2c0e9e777ab1849b43494626c1f308b5) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/11/01 22:33:54.0407 s24trans - detected Unsigned file (1)

2010/11/01 22:33:54.0485 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/11/01 22:33:54.0672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/01 22:33:54.0922 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/01 22:33:55.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/01 22:33:55.0407 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/01 22:33:55.0657 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/01 22:33:55.0860 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/11/01 22:33:56.0063 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/01 22:33:56.0203 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/01 22:33:56.0344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/01 22:33:56.0532 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/01 22:33:56.0657 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/11/01 22:33:56.0719 sscdbhk5 - detected Unsigned file (1)

2010/11/01 22:33:56.0766 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/11/01 22:33:56.0844 ssrtln - detected Unsigned file (1)

2010/11/01 22:33:56.0953 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys

2010/11/01 22:33:57.0188 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/11/01 22:33:57.0407 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/01 22:33:58.0063 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/01 22:33:58.0282 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/01 22:33:58.0407 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/01 22:33:58.0563 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/01 22:33:58.0719 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/01 22:33:58.0907 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/11/01 22:33:59.0047 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/01 22:33:59.0235 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/01 22:33:59.0422 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/01 22:33:59.0610 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/01 22:33:59.0735 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/01 22:33:59.0907 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/11/01 22:33:59.0953 tfsnboio - detected Unsigned file (1)

2010/11/01 22:33:59.0985 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/11/01 22:34:00.0032 tfsncofs - detected Unsigned file (1)

2010/11/01 22:34:00.0047 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/11/01 22:34:00.0078 tfsndrct - detected Unsigned file (1)

2010/11/01 22:34:00.0094 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys

2010/11/01 22:34:00.0125 tfsndres - detected Unsigned file (1)

2010/11/01 22:34:00.0157 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/11/01 22:34:00.0203 tfsnifs - detected Unsigned file (1)

2010/11/01 22:34:00.0219 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/11/01 22:34:00.0250 tfsnopio - detected Unsigned file (1)

2010/11/01 22:34:00.0266 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/11/01 22:34:00.0282 tfsnpool - detected Unsigned file (1)

2010/11/01 22:34:00.0328 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/11/01 22:34:00.0391 tfsnudf - detected Unsigned file (1)

2010/11/01 22:34:00.0407 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/11/01 22:34:00.0469 tfsnudfa - detected Unsigned file (1)

2010/11/01 22:34:00.0516 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/01 22:34:00.0672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/01 22:34:00.0844 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/01 22:34:00.0985 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/01 22:34:01.0157 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/11/01 22:34:01.0313 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/01 22:34:01.0532 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/01 22:34:01.0750 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/01 22:34:01.0922 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/01 22:34:02.0078 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/01 22:34:02.0235 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/01 22:34:02.0422 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/11/01 22:34:02.0578 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/01 22:34:02.0703 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/01 22:34:02.0875 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/01 22:34:03.0016 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/01 22:34:03.0219 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys

2010/11/01 22:34:03.0422 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/01 22:34:03.0625 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/01 22:34:03.0938 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys

2010/11/01 22:34:04.0063 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/11/01 22:34:04.0250 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/01 22:34:04.0328 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/01 22:34:04.0453 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/01 22:34:04.0453 ================================================================================

2010/11/01 22:34:04.0453 Scan finished

2010/11/01 22:34:04.0453 ================================================================================

2010/11/01 22:34:04.0563 Detected object count: 29

2010/11/01 22:36:37.0891 Unsigned file(AegisP) - User select action: Skip

2010/11/01 22:36:37.0891 Unsigned file(APPDRV) - User select action: Skip

2010/11/01 22:36:37.0891 Unsigned file(ASCTRM) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(btaudio) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(BTDriver) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(BTKRNL) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(BTSERIAL) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(BTWDNDIS) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(btwhid) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(btwmodem) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(BTWUSB) - User select action: Skip

2010/11/01 22:36:37.0907 Unsigned file(drvmcdb) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(drvnddm) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(DSproct) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(omci) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(PxHelp20) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(s24trans) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(sscdbhk5) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(ssrtln) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(tfsnboio) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(tfsncofs) - User select action: Skip

2010/11/01 22:36:37.0922 Unsigned file(tfsndrct) - User select action: Skip

2010/11/01 22:36:37.0938 Unsigned file(tfsndres) - User select action: Skip

2010/11/01 22:36:37.0938 Unsigned file(tfsnifs) - User select action: Skip

2010/11/01 22:36:37.0938 Unsigned file(tfsnopio) - User select action: Skip

2010/11/01 22:36:37.0938 Unsigned file(tfsnpool) - User select action: Skip

2010/11/01 22:36:37.0938 Unsigned file(tfsnudf) - User select action: Skip

2010/11/01 22:36:37.0938 Unsigned file(tfsnudfa) - User select action: Skip

2010/11/01 22:36:37.0938 \HardDisk0\MBR - will be cured after reboot

2010/11/01 22:36:37.0938 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

2010/11/01 22:36:54.0125 Deinitialize success

Elise · November 2, 2010

It looks like there is more hiding there. Lets see if we can find out what.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

RudyH · November 3, 2010

Elise,

Sorry, couldn't get the file C: Combofix that you asked for. Here is the story.

I downloaded the Combofix software, but when the software ran I kept getting an erroe message abouit my AVG software not allowing it to run even though I had disabled it. I attempted to delete the AVG entirely, but had a tough time getting that done. The uninstall screen would revert to an install screen. (Obviously the virus doing it's thing.) It frustrated me for a while but finally got the AVG to uninstall.

Following that I got error messages when Combofix ran that stated I could not renam,e Combofix as Combofix[1], and that I had to rename it with alphanumeric chacters only (I assumed that the brackets were being complained about). I finally saved it to My Documents and renamed it Combofix a. Initially I got a message saying I could not use that name either, but for some reason it finally took off and seemed to be running. At any rate, there was a small blue screen that indicated some action. It stated:

"Scanning for infected files."

"This typically doesn't take more than 10 minutes"

"However, scan times for badly infected machines may easily double."

And then it went on to indicate a number of "completed stages."

It went from stage 1 through about stage 40, at which time I got "the blue screen of death" with a potentially scary (for me, at least) message. The machine also locked up tighter than a 50 gal. drum. Had to unplug it and everything.

The message on the screen stated:

"A problem has been detected and windows has been shut down to prevent damage to your computer."

"If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps: Check to be sure you have adequate disc space. If a driver is indicated in the stop message ..."

It went on like this for a few more lines, with the statement followed by some official looking numbers--lots of zeros and x's and such.

The machine crashed like this twice before I was smart enough to throw in the towel and let you know what had happened.

I may have salvaged a small portion of data for tour review. I did a search for Combofix and got virtually nothing--but then it dawned on me to search for files that had been updated today and copied anything that was labeled a text file that had any size to it at all. I hope some of this stuff means something and that you can use it.

Other than that I will await your suggestions as to how to get Combofix to run.

Regards,

R.

[KB2121546.log]

0.938: ================================================================================

0.938: 2010/11/02 21:02:46.156 (local)

0.953: C:\WINDOWS\SoftwareDistribution\Download\e6e08b7e69174f02428e62ed65bdc722\update\update.exe (version 6.3.13.0)

0.985: Hotfix started with following command line: /si /ParentInfo:59b073785e89894a8ddb99c42e455298

0.985: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

3.735: ---- Old Information In The Registry ------

3.735: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

3.735: Destination:

3.735: Source:C:\WINDOWS\TEMP\logishrd\

3.735: Destination:

3.735: ---- New Information In The Registry ------

3.735: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

3.735: Destination:

3.735: Source:C:\WINDOWS\TEMP\logishrd\

3.735: Destination:

3.750: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

3.750: SetProductTypes: InfProductBuildType=BuildType.IP

3.750: SetAltOsLoaderPath: No section uses DirId 65701; done.

3.797: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB2121546$

3.797: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

3.797: ref tag c:\windows\system32\sp4.cab does not exist

3.797: ref tag c:\windows\system32\sp3.cab does not exist

3.797: ref tag c:\windows\system32\sp2.cab does not exist

3.797: ref tag c:\windows\system32\sp1.cab does not exist

3.797: ref tag c:\windows\system32\driver.cab does not exist

3.797: ref tag c:\windows\system32\fp40ext.cab does not exist

3.797: ref tag c:\windows\system32\fp40ext1.cab does not exist

3.797: ref tag c:\windows\system32\wms4.cab does not exist

3.797: ref tag c:\windows\system32\wms41.cab does not exist

3.797: ref tag c:\windows\system32\ims.cab does not exist

3.797: ref tag c:\windows\system32\ims1.cab does not exist

3.797: ref tag c:\windows\system32\ins.cab does not exist

3.797: ref tag c:\windows\system32\ins1.cab does not exist

3.813: Starting AnalyzeComponents

3.813: AnalyzePhaseZero used 0 ticks

3.813: No c:\windows\INF\updtblk.inf file.

3.813: OEM file scan used 0 ticks

3.891: AnalyzePhaseOne: used 78 ticks

3.891: AnalyzeComponents: Hotpatch analysis disabled; skipping.

3.891: AnalyzeComponents: Hotpatching is disabled.

3.891: FindFirstFile c:\windows\$hf_mig$\*.*

3.891: KB2121546 Setup encountered an error: The update.ver file is not correct.

3.922: KB2121546 Setup encountered an error: The update.ver file is not correct.

3.938: KB2121546 Setup encountered an error: The update.ver file is not correct.

3.953: KB2121546 Setup encountered an error: The update.ver file is not correct.

4.047: KB2121546 Setup encountered an error: The update.ver file is not correct.

4.110: AnalyzeForBranching used 47 ticks.

4.110: AnalyzePhaseTwo used 0 ticks

4.110: AnalyzePhaseThree used 0 ticks

4.110: AnalyzePhaseFive used 0 ticks

4.110: AnalyzePhaseSix used 0 ticks

4.110: AnalyzeComponents used 297 ticks

4.110: Downloading 2 files

4.110: bPatchMode = TRUE

4.110: Inventory complete: ReturnStatus=0, 313 ticks

4.110: Num Ticks for invent : 313

4.141: [dumpDownloadTask] Update.exe posting request file to download a total of 4222 bytes (4222 bytes in patches and 0 bytes in fallbacks)

4.141: dumpDownloadTask returned 0xf200 (more files to download)

4.172: KB2121546 installation did not complete.

4.172: Update.exe extended error code = 0xf200

0.813: ================================================================================

0.813: 2010/11/02 21:28:33.328 (local)

0.828: C:\WINDOWS\SoftwareDistribution\Download\e6e08b7e69174f02428e62ed65bdc722\update\update.exe (version 6.3.13.0)

0.828: Hotfix started with following command line: /si /ParentInfo:ac7ab90492fcb84da6a694bfe02c5e4d

0.828: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.047: ---- Old Information In The Registry ------

1.047: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.047: Destination:

1.047: Source:C:\WINDOWS\TEMP\logishrd\

1.047: Destination:

1.047: ---- New Information In The Registry ------

1.047: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.047: Destination:

1.047: Source:C:\WINDOWS\TEMP\logishrd\

1.047: Destination:

1.047: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.047: SetProductTypes: InfProductBuildType=BuildType.IP

1.047: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.047: Express: 4,222 bytes were downloaded.

1.109: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.109: KB2121546 installation did not complete.

1.109: Update.exe extended error code = 0xf201

[KB2141007.log]

4.969: ================================================================================

4.969: 2010/11/02 20:50:52.062 (local)

4.969: C:\WINDOWS\SoftwareDistribution\Download\035528df83114b75b8c2079edacaa319\update\update.exe (version 6.3.13.0)

4.969: Hotfix started with following command line: /si /ParentInfo:898b6aa951ecab42905e7adab2376521

4.985: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

6.610: ---- Old Information In The Registry ------

6.610: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

6.610: Destination:

6.610: Source:C:\WINDOWS\TEMP\logishrd\

6.610: Destination:

6.610: ---- New Information In The Registry ------

6.610: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

6.610: Destination:

6.610: Source:C:\WINDOWS\TEMP\logishrd\

6.610: Destination:

6.641: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

6.641: SetProductTypes: InfProductBuildType=BuildType.IP

6.656: SetAltOsLoaderPath: No section uses DirId 65701; done.

6.703: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

6.703: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB2141007$

6.781: ref tag c:\windows\system32\sp4.cab does not exist

6.781: ref tag c:\windows\system32\sp3.cab does not exist

6.781: ref tag c:\windows\system32\sp2.cab does not exist

6.781: ref tag c:\windows\system32\sp1.cab does not exist

6.781: ref tag c:\windows\system32\driver.cab does not exist

6.781: ref tag c:\windows\system32\fp40ext.cab does not exist

6.781: ref tag c:\windows\system32\fp40ext1.cab does not exist

6.797: ref tag c:\windows\system32\wms4.cab does not exist

6.797: ref tag c:\windows\system32\wms41.cab does not exist

6.797: ref tag c:\windows\system32\ims.cab does not exist

6.797: ref tag c:\windows\system32\ims1.cab does not exist

6.797: ref tag c:\windows\system32\ins.cab does not exist

6.797: ref tag c:\windows\system32\ins1.cab does not exist

6.797: Starting AnalyzeComponents

6.797: AnalyzePhaseZero used 0 ticks

6.797: No c:\windows\INF\updtblk.inf file.

6.797: OEM file scan used 0 ticks

6.953: AnalyzePhaseOne: used 156 ticks

6.953: AnalyzeComponents: Hotpatch analysis disabled; skipping.

6.953: AnalyzeComponents: Hotpatching is disabled.

6.953: FindFirstFile c:\windows\$hf_mig$\*.*

8.500: KB2141007 Setup encountered an error: The update.ver file is not correct.

8.750: KB2141007 Setup encountered an error: The update.ver file is not correct.

9.344: KB2141007 Setup encountered an error: The update.ver file is not correct.

9.766: KB2141007 Setup encountered an error: The update.ver file is not correct.

9.969: KB2141007 Setup encountered an error: The update.ver file is not correct.

9.985: KB2141007 Setup encountered an error: The update.ver file is not correct.

10.125: KB2141007 Setup encountered an error: The update.ver file is not correct.

10.906: KB2141007 Setup encountered an error: The update.ver file is not correct.

17.953: AnalyzeForBranching used 15 ticks.

17.953: AnalyzePhaseTwo used 0 ticks

17.953: AnalyzePhaseThree used 0 ticks

17.953: AnalyzePhaseFive used 0 ticks

17.953: AnalyzePhaseSix used 0 ticks

17.953: AnalyzeComponents used 11156 ticks

17.953: Downloading 2 files

17.953: bPatchMode = TRUE

17.953: Inventory complete: ReturnStatus=0, 11250 ticks

17.953: Num Ticks for invent : 11250

17.969: [dumpDownloadTask] Update.exe posting request file to download a total of 58318 bytes (58318 bytes in patches and 0 bytes in fallbacks)

17.969: dumpDownloadTask returned 0xf200 (more files to download)

18.078: KB2141007 installation did not complete.

18.078: Update.exe extended error code = 0xf200

0.844: ================================================================================

0.891: 2010/11/02 21:25:21.187 (local)

0.891: C:\WINDOWS\SoftwareDistribution\Download\035528df83114b75b8c2079edacaa319\update\update.exe (version 6.3.13.0)

0.891: Hotfix started with following command line: /si /ParentInfo:c8d524dc4dd6b342906ca8c54074b486

0.891: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.469: ---- Old Information In The Registry ------

1.469: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.469: Destination:

1.469: Source:C:\WINDOWS\TEMP\logishrd\

1.469: Destination:

1.469: ---- New Information In The Registry ------

1.469: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.469: Destination:

1.469: Source:C:\WINDOWS\TEMP\logishrd\

1.469: Destination:

1.469: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.469: SetProductTypes: InfProductBuildType=BuildType.IP

1.469: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.485: Express: 58,318 bytes were downloaded.

1.703: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.735: KB2141007 installation did not complete.

1.735: Update.exe extended error code = 0xf201

[KB2279986.log]

1.047: ================================================================================

1.047: 2010/11/02 21:21:28.781 (local)

1.047: C:\WINDOWS\SoftwareDistribution\Download\a68c3384979889bdeede2ca0a92739be\update\update.exe (version 6.3.13.0)

1.078: Hotfix started with following command line: /si /ParentInfo:ca0921f8053ce548ab1854f5d375c189

1.078: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

2.000: ---- Old Information In The Registry ------

2.000: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

2.000: Destination:

2.000: Source:C:\WINDOWS\TEMP\logishrd\

2.000: Destination:

2.000: ---- New Information In The Registry ------

2.000: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

2.000: Destination:

2.000: Source:C:\WINDOWS\TEMP\logishrd\

2.000: Destination:

2.031: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

2.047: SetProductTypes: InfProductBuildType=BuildType.IP

2.047: SetAltOsLoaderPath: No section uses DirId 65701; done.

2.078: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

2.078: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB2279986$

2.078: ref tag c:\windows\system32\sp4.cab does not exist

2.078: ref tag c:\windows\system32\sp3.cab does not exist

2.078: ref tag c:\windows\system32\sp2.cab does not exist

2.078: ref tag c:\windows\system32\sp1.cab does not exist

2.078: ref tag c:\windows\system32\driver.cab does not exist

2.078: ref tag c:\windows\system32\fp40ext.cab does not exist

2.078: ref tag c:\windows\system32\fp40ext1.cab does not exist

2.094: ref tag c:\windows\system32\wms4.cab does not exist

2.094: ref tag c:\windows\system32\wms41.cab does not exist

2.094: ref tag c:\windows\system32\ims.cab does not exist

2.094: ref tag c:\windows\system32\ims1.cab does not exist

2.094: ref tag c:\windows\system32\ins.cab does not exist

2.094: ref tag c:\windows\system32\ins1.cab does not exist

2.094: Starting AnalyzeComponents

2.094: AnalyzePhaseZero used 0 ticks

2.094: No c:\windows\INF\updtblk.inf file.

2.094: OEM file scan used 0 ticks

2.609: AnalyzePhaseOne: used 515 ticks

2.609: AnalyzeComponents: Hotpatch analysis disabled; skipping.

2.609: AnalyzeComponents: Hotpatching is disabled.

2.609: FindFirstFile c:\windows\$hf_mig$\*.*

2.609: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.625: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.672: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.687: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.703: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.719: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.750: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.828: KB2279986 Setup encountered an error: The update.ver file is not correct.

2.844: AnalyzeForBranching used 0 ticks.

2.844: AnalyzePhaseTwo used 0 ticks

2.844: AnalyzePhaseThree used 0 ticks

2.844: AnalyzePhaseFive used 0 ticks

2.844: AnalyzePhaseSix used 0 ticks

2.844: AnalyzeComponents used 750 ticks

2.844: Downloading 2 files

2.844: bPatchMode = TRUE

2.844: Inventory complete: ReturnStatus=0, 766 ticks

2.844: Num Ticks for invent : 766

2.875: [dumpDownloadTask] Update.exe posting request file to download a total of 26150 bytes (26150 bytes in patches and 0 bytes in fallbacks)

2.875: dumpDownloadTask returned 0xf200 (more files to download)

2.906: KB2279986 installation did not complete.

2.906: Update.exe extended error code = 0xf200

0.766: ================================================================================

0.766: 2010/11/02 21:29:30.953 (local)

0.766: C:\WINDOWS\SoftwareDistribution\Download\a68c3384979889bdeede2ca0a92739be\update\update.exe (version 6.3.13.0)

0.766: Hotfix started with following command line: /si /ParentInfo:a779c7149b6c744f9a90cf3a83f11b31

0.766: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.062: ---- Old Information In The Registry ------

1.062: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.062: Destination:

1.062: Source:C:\WINDOWS\TEMP\logishrd\

1.062: Destination:

1.062: ---- New Information In The Registry ------

1.062: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.062: Destination:

1.062: Source:C:\WINDOWS\TEMP\logishrd\

1.062: Destination:

1.062: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.062: SetProductTypes: InfProductBuildType=BuildType.IP

1.062: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.094: Express: 26,150 bytes were downloaded.

1.266: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.297: KB2279986 installation did not complete.

1.297: Update.exe extended error code = 0xf201

[KB2345886.log]

0.844: ================================================================================

0.844: 2010/11/02 21:21:15.781 (local)

0.844: C:\WINDOWS\SoftwareDistribution\Download\73c53bc9363e2e6052da2282e21dc353\update\update.exe (version 6.3.13.0)

0.859: Hotfix started with following command line: /si /ParentInfo:aeca158fba504140b16579c69d2d25d0

0.859: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.312: ---- Old Information In The Registry ------

1.312: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.312: Destination:

1.312: Source:C:\WINDOWS\TEMP\logishrd\

1.312: Destination:

1.312: ---- New Information In The Registry ------

1.312: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.312: Destination:

1.312: Source:C:\WINDOWS\TEMP\logishrd\

1.312: Destination:

1.344: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.344: SetProductTypes: InfProductBuildType=BuildType.IP

1.344: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.375: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB2345886$

1.375: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

1.406: ref tag c:\windows\system32\sp4.cab does not exist

1.406: ref tag c:\windows\system32\sp3.cab does not exist

1.406: ref tag c:\windows\system32\sp2.cab does not exist

1.406: ref tag c:\windows\system32\sp1.cab does not exist

1.406: ref tag c:\windows\system32\driver.cab does not exist

1.406: ref tag c:\windows\system32\fp40ext.cab does not exist

1.406: ref tag c:\windows\system32\fp40ext1.cab does not exist

1.406: ref tag c:\windows\system32\wms4.cab does not exist

1.406: ref tag c:\windows\system32\wms41.cab does not exist

1.406: ref tag c:\windows\system32\ims.cab does not exist

1.406: ref tag c:\windows\system32\ims1.cab does not exist

1.406: ref tag c:\windows\system32\ins.cab does not exist

1.406: ref tag c:\windows\system32\ins1.cab does not exist

1.406: Starting AnalyzeComponents

1.406: AnalyzePhaseZero used 0 ticks

1.406: No c:\windows\INF\updtblk.inf file.

1.406: OEM file scan used 0 ticks

1.547: AnalyzePhaseOne: used 141 ticks

1.547: AnalyzeComponents: Hotpatch analysis disabled; skipping.

1.547: AnalyzeComponents: Hotpatching is disabled.

1.547: FindFirstFile c:\windows\$hf_mig$\*.*

1.547: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.609: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.625: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.641: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.656: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.672: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.750: KB2345886 Setup encountered an error: The update.ver file is not correct.

1.766: AnalyzeForBranching used 16 ticks.

1.766: AnalyzePhaseTwo used 0 ticks

1.766: AnalyzePhaseThree used 0 ticks

1.781: AnalyzePhaseFive used 15 ticks

1.781: AnalyzePhaseSix used 0 ticks

1.781: AnalyzeComponents used 375 ticks

1.781: Downloading 6 files

1.781: bPatchMode = TRUE

1.781: Inventory complete: ReturnStatus=0, 406 ticks

1.781: Num Ticks for invent : 406

1.797: [dumpDownloadTask] Update.exe posting request file to download a total of 103357 bytes (103357 bytes in patches and 0 bytes in fallbacks)

1.797: dumpDownloadTask returned 0xf200 (more files to download)

1.859: KB2345886 installation did not complete.

1.859: Update.exe extended error code = 0xf200

0.829: ================================================================================

0.829: 2010/11/02 21:29:27.828 (local)

0.860: C:\WINDOWS\SoftwareDistribution\Download\73c53bc9363e2e6052da2282e21dc353\update\update.exe (version 6.3.13.0)

0.860: Hotfix started with following command line: /si /ParentInfo:267fd2ccec6c0c45a7bce65e09b8bb16

0.860: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.313: ---- Old Information In The Registry ------

1.313: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.313: Destination:

1.313: Source:C:\WINDOWS\TEMP\logishrd\

1.313: Destination:

1.313: ---- New Information In The Registry ------

1.313: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.313: Destination:

1.313: Source:C:\WINDOWS\TEMP\logishrd\

1.313: Destination:

1.313: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.313: SetProductTypes: InfProductBuildType=BuildType.IP

1.313: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.313: Express: 103,357 bytes were downloaded.

1.422: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.454: KB2345886 installation did not complete.

1.454: Update.exe extended error code = 0xf201

[KB2347290.log]

0.875: ================================================================================

0.875: 2010/11/02 21:06:57.281 (local)

0.875: C:\WINDOWS\SoftwareDistribution\Download\fff729731cd7795c1d0f7a71d85c0fd1\update\update.exe (version 6.3.13.0)

0.906: Hotfix started with following command line: /si /ParentInfo:3c10089f1fde50408bf747d8d6123a7b

0.906: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.187: ---- Old Information In The Registry ------

1.187: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.187: Destination:

1.187: Source:C:\WINDOWS\TEMP\logishrd\

1.187: Destination:

1.187: ---- New Information In The Registry ------

1.187: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.187: Destination:

1.187: Source:C:\WINDOWS\TEMP\logishrd\

1.187: Destination:

1.203: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.203: SetProductTypes: InfProductBuildType=BuildType.IP

1.203: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.203: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

1.203: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB2347290$

1.203: ref tag c:\windows\system32\sp4.cab does not exist

1.203: ref tag c:\windows\system32\sp3.cab does not exist

1.203: ref tag c:\windows\system32\sp2.cab does not exist

1.203: ref tag c:\windows\system32\sp1.cab does not exist

1.203: ref tag c:\windows\system32\driver.cab does not exist

1.203: ref tag c:\windows\system32\fp40ext.cab does not exist

1.203: ref tag c:\windows\system32\fp40ext1.cab does not exist

1.203: ref tag c:\windows\system32\wms4.cab does not exist

1.203: ref tag c:\windows\system32\wms41.cab does not exist

1.203: ref tag c:\windows\system32\ims.cab does not exist

1.203: ref tag c:\windows\system32\ims1.cab does not exist

1.203: ref tag c:\windows\system32\ins.cab does not exist

1.203: ref tag c:\windows\system32\ins1.cab does not exist

1.203: Starting AnalyzeComponents

1.203: AnalyzePhaseZero used 0 ticks

1.203: No c:\windows\INF\updtblk.inf file.

1.203: OEM file scan used 0 ticks

1.250: AnalyzePhaseOne: used 47 ticks

1.250: AnalyzeComponents: Hotpatch analysis disabled; skipping.

1.250: AnalyzeComponents: Hotpatching is disabled.

1.250: FindFirstFile c:\windows\$hf_mig$\*.*

1.250: KB2347290 Setup encountered an error: The update.ver file is not correct.

1.281: KB2347290 Setup encountered an error: The update.ver file is not correct.

1.297: KB2347290 Setup encountered an error: The update.ver file is not correct.

1.312: KB2347290 Setup encountered an error: The update.ver file is not correct.

1.390: KB2347290 Setup encountered an error: The update.ver file is not correct.

1.406: AnalyzeForBranching used 0 ticks.

1.406: AnalyzePhaseTwo used 0 ticks

1.406: AnalyzePhaseThree used 0 ticks

1.406: AnalyzePhaseFive used 0 ticks

1.406: AnalyzePhaseSix used 0 ticks

1.406: AnalyzeComponents used 203 ticks

1.406: Downloading 2 files

1.406: bPatchMode = TRUE

1.406: Inventory complete: ReturnStatus=0, 203 ticks

1.406: Num Ticks for invent : 203

1.406: [dumpDownloadTask] Update.exe posting request file to download a total of 9966 bytes (9966 bytes in patches and 0 bytes in fallbacks)

1.406: dumpDownloadTask returned 0xf200 (more files to download)

1.422: KB2347290 installation did not complete.

1.422: Update.exe extended error code = 0xf200

0.812: ================================================================================

0.875: 2010/11/02 21:28:46.656 (local)

0.875: C:\WINDOWS\SoftwareDistribution\Download\fff729731cd7795c1d0f7a71d85c0fd1\update\update.exe (version 6.3.13.0)

0.875: Hotfix started with following command line: /si /ParentInfo:75685250376d674491e80c6e1c477ff9

0.875: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.078: ---- Old Information In The Registry ------

1.078: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.078: Destination:

1.078: Source:C:\WINDOWS\TEMP\logishrd\

1.078: Destination:

1.078: ---- New Information In The Registry ------

1.078: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.078: Destination:

1.078: Source:C:\WINDOWS\TEMP\logishrd\

1.078: Destination:

1.078: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.078: SetProductTypes: InfProductBuildType=BuildType.IP

1.078: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.078: Express: 9,966 bytes were downloaded.

1.093: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.125: KB2347290 installation did not complete.

1.125: Update.exe extended error code = 0xf201

[KB979687.log]

0.875: ================================================================================

0.875: 2010/11/02 21:06:52.687 (local)

0.875: C:\WINDOWS\SoftwareDistribution\Download\9bf014a550088c334c7e0d4ab81a0f70\update\update.exe (version 6.3.13.0)

0.875: Hotfix started with following command line: /si /ParentInfo:82b7698b46bd844ca3a8992816522d69

0.875: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.250: ---- Old Information In The Registry ------

1.250: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.250: Destination:

1.250: Source:C:\WINDOWS\TEMP\logishrd\

1.250: Destination:

1.250: ---- New Information In The Registry ------

1.250: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.250: Destination:

1.250: Source:C:\WINDOWS\TEMP\logishrd\

1.250: Destination:

1.250: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.250: SetProductTypes: InfProductBuildType=BuildType.IP

1.250: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.266: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

1.266: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB979687$

1.266: ref tag c:\windows\system32\sp4.cab does not exist

1.266: ref tag c:\windows\system32\sp3.cab does not exist

1.266: ref tag c:\windows\system32\sp2.cab does not exist

1.266: ref tag c:\windows\system32\sp1.cab does not exist

1.266: ref tag c:\windows\system32\driver.cab does not exist

1.266: ref tag c:\windows\system32\fp40ext.cab does not exist

1.266: ref tag c:\windows\system32\fp40ext1.cab does not exist

1.266: ref tag c:\windows\system32\wms4.cab does not exist

1.266: ref tag c:\windows\system32\wms41.cab does not exist

1.266: ref tag c:\windows\system32\ims.cab does not exist

1.266: ref tag c:\windows\system32\ims1.cab does not exist

1.266: ref tag c:\windows\system32\ins.cab does not exist

1.266: ref tag c:\windows\system32\ins1.cab does not exist

1.266: Starting AnalyzeComponents

1.266: AnalyzePhaseZero used 0 ticks

1.266: No c:\windows\INF\updtblk.inf file.

1.266: OEM file scan used 0 ticks

1.547: AnalyzePhaseOne: used 281 ticks

1.547: AnalyzeComponents: Hotpatch analysis disabled; skipping.

1.547: AnalyzeComponents: Hotpatching is disabled.

1.547: FindFirstFile c:\windows\$hf_mig$\*.*

1.547: KB979687 Setup encountered an error: The update.ver file is not correct.

1.594: KB979687 Setup encountered an error: The update.ver file is not correct.

1.609: KB979687 Setup encountered an error: The update.ver file is not correct.

1.625: KB979687 Setup encountered an error: The update.ver file is not correct.

1.641: KB979687 Setup encountered an error: The update.ver file is not correct.

1.656: KB979687 Setup encountered an error: The update.ver file is not correct.

1.781: KB979687 Setup encountered an error: The update.ver file is not correct.

1.828: AnalyzeForBranching used 47 ticks.

1.844: AnalyzePhaseTwo used 16 ticks

1.844: AnalyzePhaseThree used 0 ticks

1.859: AnalyzePhaseFive used 15 ticks

1.859: AnalyzePhaseSix used 0 ticks

1.859: AnalyzeComponents used 593 ticks

1.859: Downloading 6 files

1.859: bPatchMode = TRUE

1.859: Inventory complete: ReturnStatus=0, 593 ticks

1.859: Num Ticks for invent : 593

1.891: [dumpDownloadTask] Update.exe posting request file to download a total of 252701 bytes (176212 bytes in patches and 76489 bytes in fallbacks)

1.891: dumpDownloadTask returned 0xf200 (more files to download)

1.922: KB979687 installation did not complete.

1.922: Update.exe extended error code = 0xf200

0.812: ================================================================================

0.828: 2010/11/02 21:28:43.765 (local)

0.828: C:\WINDOWS\SoftwareDistribution\Download\9bf014a550088c334c7e0d4ab81a0f70\update\update.exe (version 6.3.13.0)

0.828: Hotfix started with following command line: /si /ParentInfo:7361dce022be024e9b6ba0209f55d3ef

0.828: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.047: ---- Old Information In The Registry ------

1.047: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.047: Destination:

1.047: Source:C:\WINDOWS\TEMP\logishrd\

1.047: Destination:

1.047: ---- New Information In The Registry ------

1.047: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.047: Destination:

1.047: Source:C:\WINDOWS\TEMP\logishrd\

1.047: Destination:

1.047: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.047: SetProductTypes: InfProductBuildType=BuildType.IP

1.047: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.062: Express: 252,701 bytes were downloaded.

1.344: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.344: KB979687 installation did not complete.

1.344: Update.exe extended error code = 0xf201

[KB981322.log]

1.203: ================================================================================

1.203: 2010/11/02 21:00:50.968 (local)

1.203: C:\WINDOWS\SoftwareDistribution\Download\6bfdd3e98c4463f29fd65075ada4739c\update\update.exe (version 6.3.13.0)

1.281: Hotfix started with following command line: /si /ParentInfo:52e6641d45eb0240852c15aab8034b78

1.281: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.750: ---- Old Information In The Registry ------

1.750: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.750: Destination:

1.750: Source:C:\WINDOWS\TEMP\logishrd\

1.750: Destination:

1.750: ---- New Information In The Registry ------

1.750: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.750: Destination:

1.750: Source:C:\WINDOWS\TEMP\logishrd\

1.750: Destination:

1.781: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.781: SetProductTypes: InfProductBuildType=BuildType.IP

1.781: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.828: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB981322$

1.828: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

1.828: ref tag c:\windows\system32\sp4.cab does not exist

1.828: ref tag c:\windows\system32\sp3.cab does not exist

1.828: ref tag c:\windows\system32\sp2.cab does not exist

1.828: ref tag c:\windows\system32\sp1.cab does not exist

1.828: ref tag c:\windows\system32\driver.cab does not exist

1.828: ref tag c:\windows\system32\fp40ext.cab does not exist

1.828: ref tag c:\windows\system32\fp40ext1.cab does not exist

1.828: ref tag c:\windows\system32\wms4.cab does not exist

1.828: ref tag c:\windows\system32\wms41.cab does not exist

1.828: ref tag c:\windows\system32\ims.cab does not exist

1.828: ref tag c:\windows\system32\ims1.cab does not exist

1.828: ref tag c:\windows\system32\ins.cab does not exist

1.828: ref tag c:\windows\system32\ins1.cab does not exist

1.891: Starting AnalyzeComponents

1.891: AnalyzePhaseZero used 0 ticks

1.891: No c:\windows\INF\updtblk.inf file.

1.891: OEM file scan used 0 ticks

1.953: AnalyzePhaseOne: used 62 ticks

1.953: AnalyzeComponents: Hotpatch analysis disabled; skipping.

1.953: AnalyzeComponents: Hotpatching is disabled.

1.953: FindFirstFile c:\windows\$hf_mig$\*.*

1.953: KB981322 Setup encountered an error: The update.ver file is not correct.

2.000: KB981322 Setup encountered an error: The update.ver file is not correct.

2.016: KB981322 Setup encountered an error: The update.ver file is not correct.

2.031: KB981322 Setup encountered an error: The update.ver file is not correct.

2.047: KB981322 Setup encountered an error: The update.ver file is not correct.

2.078: KB981322 Setup encountered an error: The update.ver file is not correct.

2.281: AnalyzeForBranching used 78 ticks.

2.281: AnalyzePhaseTwo used 0 ticks

2.281: AnalyzePhaseThree used 0 ticks

2.297: AnalyzePhaseFive used 16 ticks

2.297: AnalyzePhaseSix used 0 ticks

2.297: AnalyzeComponents used 406 ticks

2.297: Downloading 2 files

2.297: bPatchMode = TRUE

2.297: Inventory complete: ReturnStatus=0, 469 ticks

2.297: Num Ticks for invent : 469

2.375: [dumpDownloadTask] Update.exe posting request file to download a total of 3500 bytes (3500 bytes in patches and 0 bytes in fallbacks)

2.375: dumpDownloadTask returned 0xf200 (more files to download)

2.609: KB981322 installation did not complete.

2.609: Update.exe extended error code = 0xf200

0.797: ================================================================================

0.812: 2010/11/02 21:28:30.796 (local)

0.812: C:\WINDOWS\SoftwareDistribution\Download\6bfdd3e98c4463f29fd65075ada4739c\update\update.exe (version 6.3.13.0)

0.812: Hotfix started with following command line: /si /ParentInfo:af94ac1f1ce7ea42a5cc4c7a4f7c6356

0.812: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

0.984: ---- Old Information In The Registry ------

0.984: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

0.984: Destination:

0.984: Source:C:\WINDOWS\TEMP\logishrd\

0.984: Destination:

0.984: ---- New Information In The Registry ------

0.984: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

0.984: Destination:

0.984: Source:C:\WINDOWS\TEMP\logishrd\

0.984: Destination:

0.984: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

0.984: SetProductTypes: InfProductBuildType=BuildType.IP

0.984: SetAltOsLoaderPath: No section uses DirId 65701; done.

0.984: Express: 3,500 bytes were downloaded.

1.047: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.062: KB981322 installation did not complete.

1.062: Update.exe extended error code = 0xf201

[KB981957.log]

0.859: ================================================================================

0.859: 2010/11/02 21:28:07.343 (local)

0.859: C:\WINDOWS\SoftwareDistribution\Download\2014573de7d8912535b413123071c375\update\update.exe (version 6.3.13.0)

0.937: Hotfix started with following command line: /si /ParentInfo:eeb1f10fb7604840a64e57e6d5f2da03

0.937: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.234: ---- Old Information In The Registry ------

1.234: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.234: Destination:

1.234: Source:C:\WINDOWS\TEMP\logishrd\

1.234: Destination:

1.234: ---- New Information In The Registry ------

1.234: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.234: Destination:

1.234: Source:C:\WINDOWS\TEMP\logishrd\

1.234: Destination:

1.234: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.234: SetProductTypes: InfProductBuildType=BuildType.IP

1.234: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.297: SessionImageSize is Present

1.297: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\SessionImageSize is Greater or Equal To Specified Value

1.297: Condition Check for Line 1 of win32k.Session.ExtendedConditional returned FALSE

1.297: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

1.297: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB981957$

1.312: ref tag c:\windows\system32\sp4.cab does not exist

1.312: ref tag c:\windows\system32\sp3.cab does not exist

1.312: ref tag c:\windows\system32\sp2.cab does not exist

1.312: ref tag c:\windows\system32\sp1.cab does not exist

1.312: ref tag c:\windows\system32\driver.cab does not exist

1.312: ref tag c:\windows\system32\fp40ext.cab does not exist

1.312: ref tag c:\windows\system32\fp40ext1.cab does not exist

1.312: ref tag c:\windows\system32\wms4.cab does not exist

1.312: ref tag c:\windows\system32\wms41.cab does not exist

1.312: ref tag c:\windows\system32\ims.cab does not exist

1.312: ref tag c:\windows\system32\ims1.cab does not exist

1.312: ref tag c:\windows\system32\ins.cab does not exist

1.312: ref tag c:\windows\system32\ins1.cab does not exist

1.312: Starting AnalyzeComponents

1.312: AnalyzePhaseZero used 0 ticks

1.312: No c:\windows\INF\updtblk.inf file.

1.312: OEM file scan used 0 ticks

1.469: AnalyzePhaseOne: used 157 ticks

1.469: AnalyzeComponents: Hotpatch analysis disabled; skipping.

1.469: AnalyzeComponents: Hotpatching is disabled.

1.469: FindFirstFile c:\windows\$hf_mig$\*.*

1.469: KB981957 Setup encountered an error: The update.ver file is not correct.

1.515: KB981957 Setup encountered an error: The update.ver file is not correct.

1.531: KB981957 Setup encountered an error: The update.ver file is not correct.

1.547: KB981957 Setup encountered an error: The update.ver file is not correct.

1.562: KB981957 Setup encountered an error: The update.ver file is not correct.

1.578: KB981957 Setup encountered an error: The update.ver file is not correct.

1.672: KB981957 Setup encountered an error: The update.ver file is not correct.

1.703: AnalyzeForBranching used 16 ticks.

1.703: AnalyzePhaseTwo used 0 ticks

1.703: AnalyzePhaseThree used 0 ticks

1.719: AnalyzePhaseFive used 16 ticks

1.719: AnalyzePhaseSix used 0 ticks

1.719: AnalyzeComponents used 407 ticks

1.719: Downloading 2 files

1.719: bPatchMode = TRUE

1.719: Inventory complete: ReturnStatus=0, 422 ticks

1.719: Num Ticks for invent : 422

1.781: [dumpDownloadTask] Update.exe posting request file to download a total of 263378 bytes (263378 bytes in patches and 0 bytes in fallbacks)

1.781: dumpDownloadTask returned 0xf200 (more files to download)

1.828: KB981957 installation did not complete.

1.828: Update.exe extended error code = 0xf200

0.766: ================================================================================

0.766: 2010/11/02 21:29:41.031 (local)

0.766: C:\WINDOWS\SoftwareDistribution\Download\2014573de7d8912535b413123071c375\update\update.exe (version 6.3.13.0)

0.781: Hotfix started with following command line: /si /ParentInfo:e6bab0fa1ea67f4d907ddf5697918b97

0.781: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

0.906: ---- Old Information In The Registry ------

0.906: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

0.906: Destination:

0.906: Source:C:\WINDOWS\TEMP\logishrd\

0.906: Destination:

0.906: ---- New Information In The Registry ------

0.906: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

0.906: Destination:

0.906: Source:C:\WINDOWS\TEMP\logishrd\

0.906: Destination:

0.906: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

0.906: SetProductTypes: InfProductBuildType=BuildType.IP

0.906: SetAltOsLoaderPath: No section uses DirId 65701; done.

0.906: SessionImageSize is Present

0.906: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\SessionImageSize is Greater or Equal To Specified Value

0.906: Condition Check for Line 1 of win32k.Session.ExtendedConditional returned FALSE

0.922: Express: 263,378 bytes were downloaded.

1.156: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.203: KB981957 installation did not complete.

1.203: Update.exe extended error code = 0xf201

[KB982132.log]

0.844: ================================================================================

0.844: 2010/11/02 21:14:00.812 (local)

0.844: C:\WINDOWS\SoftwareDistribution\Download\3b9a24c8602d832283340e99d108cb2a\update\update.exe (version 6.3.13.0)

0.860: Hotfix started with following command line: /si /ParentInfo:96634e7c823d9b4abc0276ac998dba40

0.860: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.235: ---- Old Information In The Registry ------

1.235: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.235: Destination:

1.235: Source:C:\WINDOWS\TEMP\logishrd\

1.235: Destination:

1.250: ---- New Information In The Registry ------

1.250: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.250: Destination:

1.250: Source:C:\WINDOWS\TEMP\logishrd\

1.250: Destination:

1.250: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.250: SetProductTypes: InfProductBuildType=BuildType.IP

1.250: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.250: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB982132$

1.250: LoadFileQueues: UpdSpGetSourceFileLocation for halmacpi.dll failed: 0xe0000102

1.250: ref tag c:\windows\system32\sp4.cab does not exist

1.250: ref tag c:\windows\system32\sp3.cab does not exist

1.250: ref tag c:\windows\system32\sp2.cab does not exist

1.250: ref tag c:\windows\system32\sp1.cab does not exist

1.250: ref tag c:\windows\system32\driver.cab does not exist

1.250: ref tag c:\windows\system32\fp40ext.cab does not exist

1.250: ref tag c:\windows\system32\fp40ext1.cab does not exist

1.266: ref tag c:\windows\system32\wms4.cab does not exist

1.266: ref tag c:\windows\system32\wms41.cab does not exist

1.266: ref tag c:\windows\system32\ims.cab does not exist

1.266: ref tag c:\windows\system32\ims1.cab does not exist

1.266: ref tag c:\windows\system32\ins.cab does not exist

1.266: ref tag c:\windows\system32\ins1.cab does not exist

1.266: Starting AnalyzeComponents

1.266: AnalyzePhaseZero used 0 ticks

1.266: No c:\windows\INF\updtblk.inf file.

1.266: OEM file scan used 0 ticks

1.391: AnalyzePhaseOne: used 125 ticks

1.391: AnalyzeComponents: Hotpatch analysis disabled; skipping.

1.391: AnalyzeComponents: Hotpatching is disabled.

1.391: FindFirstFile c:\windows\$hf_mig$\*.*

1.391: KB982132 Setup encountered an error: The update.ver file is not correct.

1.422: KB982132 Setup encountered an error: The update.ver file is not correct.

1.438: KB982132 Setup encountered an error: The update.ver file is not correct.

1.453: KB982132 Setup encountered an error: The update.ver file is not correct.

1.469: KB982132 Setup encountered an error: The update.ver file is not correct.

1.563: KB982132 Setup encountered an error: The update.ver file is not correct.

1.563: AnalyzeForBranching used 0 ticks.

1.563: AnalyzePhaseTwo used 0 ticks

1.563: AnalyzePhaseThree used 0 ticks

1.563: AnalyzePhaseFive used 0 ticks

1.563: AnalyzePhaseSix used 0 ticks

1.563: AnalyzeComponents used 297 ticks

1.563: Downloading 2 files

1.563: bPatchMode = TRUE

1.563: Inventory complete: ReturnStatus=0, 313 ticks

1.578: Num Ticks for invent : 328

1.578: [dumpDownloadTask] Update.exe posting request file to download a total of 6178 bytes (6178 bytes in patches and 0 bytes in fallbacks)

1.578: dumpDownloadTask returned 0xf200 (more files to download)

1.625: KB982132 installation did not complete.

1.625: Update.exe extended error code = 0xf200

0.828: ================================================================================

0.828: 2010/11/02 21:28:49.046 (local)

0.828: C:\WINDOWS\SoftwareDistribution\Download\3b9a24c8602d832283340e99d108cb2a\update\update.exe (version 6.3.13.0)

0.828: Hotfix started with following command line: /si /ParentInfo:12a33afc2caa914b86904ef8b0c0fc66

0.844: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.016: ---- Old Information In The Registry ------

1.016: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.016: Destination:

1.016: Source:C:\WINDOWS\TEMP\logishrd\

1.016: Destination:

1.016: ---- New Information In The Registry ------

1.016: Source:C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (12.10.1110.0)

1.016: Destination:

1.016: Source:C:\WINDOWS\TEMP\logishrd\

1.016: Destination:

1.016: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

1.016: SetProductTypes: InfProductBuildType=BuildType.IP

1.016: SetAltOsLoaderPath: No section uses DirId 65701; done.

1.016: Express: 6,178 bytes were downloaded.

1.063: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL

1.078: KB982132 installation did not complete.

1.078: Update.exe extended error code = 0xf201

Elise · November 3, 2010

Can you try to run Combofix from safe mode?

RudyH · November 4, 2010

HOORAH!! Two system crashes later, I finally got it.

ComboFix 10-11-02.03 - Rudy 11/03/2010 19:21:51.5.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1600 [GMT -6:00]

Running from: c:\documents and settings\Rudy\My Documents\ComboFix.exe

AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))

.

2010-11-03 05:21 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C0F71A8-9B12-46CB-B99F-65FBA01CBCA8}\mpengine.dll

2010-11-03 05:21 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-11-03 03:22 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2010-11-03 03:22 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-03 03:22 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-11-03 03:20 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2010-10-21 02:17 . 2010-10-29 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-10-13 14:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-10-12 21:48 . 2010-10-12 21:48 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\Mozilla

2010-10-08 20:13 . 2010-10-08 20:13 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\PCHealth

2010-10-08 20:13 . 2010-10-08 20:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-10-08 14:33 . 2010-10-08 14:33 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\LogMeIn

2010-10-08 14:33 . 2010-10-08 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn

2010-10-07 19:16 . 2010-10-09 13:38 -------- d-----w- c:\program files\Microsoft Security Essentials

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 18:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-11 22:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-09-08 17:17 . 2010-09-08 17:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 17:17 . 2010-09-08 17:17 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-01 11:51 . 2004-08-11 22:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-11 22:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-29 19:07 . 2008-10-04 23:41 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-08-29 19:07 . 2010-08-29 19:07 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-08-27 08:02 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-11 22:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-11 22:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-16 03:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-11 22:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-11 22:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]

2009-04-09 00:53 3962184 ----a-w- c:\documents and settings\Rudy\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Rudy\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-04-09 3962184]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\documents and settings\Rudy\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2009-04-09 3962184]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]

[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]

[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-7 24576]

VersionTrackerPro.lnk - c:\windows\Installer\{44A26F69-C401-4F38-B739-37FB22686C34}\New_Shortcut_S1699_A8EB5A2133B04A97AEEFDFB17E2E701D.exe [2008-5-23 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 gupdate1cac3f4ed339e20;Google Update Service (gupdate1cac3f4ed339e20);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2010 10:06 PM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

.

Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 04:06]

2010-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-15 04:06]

2010-11-04 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]

2010-11-04 c:\windows\Tasks\User_Feed_Synchronization-{DC7438FB-4B98-4593-B85D-E5839CAE0BA0}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: secureserver.net\email12

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-03 19:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

Elise · November 4, 2010

Well done! How are things running at this point?

RudyH · November 5, 2010

Hello Elise,

Well, not bad, all things considered. I reloaded Microsoft Security Essentials (MSE), did a quick scan and it showed the machine to be clean. MSE was the only software, including AVG, Malwarebytes, and Stopzilla, that would detect and report the virus.

The machine seems to run awfully slow, though. I did downloads of Micosoft updated and it seemed to just Crrraaaawwwl along. Is there something I can do about that?

Thanks,

R

Elise · November 5, 2010

Hello again, lets see what else needs to be done here.

OTL

-----

Please download OTL from one of the following mirrors:

- This is THE Mirror

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

OTListIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

RudyH · November 5, 2010

Elise,

Both files follow.

OTL logfile created on: 11/5/2010 6:52:58 AM - Run 1

OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\Rudy\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 80.66 Gb Total Space | 58.53 Gb Free Space | 72.57% Space Free | Partition Type: NTFS

Drive D: | 25.89 Gb Total Space | 15.37 Gb Free Space | 59.38% Space Free | Partition Type: NTFS

Computer Name: RUDYHEMMANN | User Name: Rudy | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/05 06:50:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rudy\Desktop\OTL.exe

PRC - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

PRC - [2010/10/11 12:58:12 | 000,725,072 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe

PRC - [2010/10/06 17:24:38 | 000,652,640 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgrsx.exe

PRC - [2010/10/06 17:24:36 | 001,065,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgnsx.exe

PRC - [2010/10/06 17:24:08 | 000,845,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgcsrvx.exe

PRC - [2010/10/06 17:24:08 | 000,647,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgchsvx.exe

PRC - [2010/09/15 05:29:10 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgtray.exe

PRC - [2010/09/15 04:34:02 | 001,094,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe

PRC - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe

PRC - [2010/09/07 03:50:22 | 001,047,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG10\avgemcx.exe

PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

PRC - [2009/10/07 02:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

PRC - [2009/01/30 10:34:44 | 001,347,584 | ---- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe

PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe

PRC - [2008/04/23 14:18:44 | 002,162,688 | ---- | M] (CNET TechTracker) -- C:\Program Files\TechTracker\VersionTracker Pro\VersionTrackerPro.exe

PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/03/09 11:09:58 | 000,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

PRC - [2006/06/29 11:13:32 | 001,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe

PRC - [2006/06/29 11:12:34 | 000,376,832 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe

PRC - [2006/05/24 17:28:28 | 000,622,653 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

PRC - [2006/05/24 17:27:10 | 001,372,244 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe

PRC - [2006/05/01 08:34:00 | 000,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

PRC - [2006/05/01 08:28:06 | 000,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

PRC - [2006/05/01 08:26:14 | 000,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

PRC - [2006/05/01 08:22:42 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2006/05/01 08:20:52 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2006/05/01 08:20:26 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PRC - [2006/03/24 15:30:44 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

PRC - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe

PRC - [2005/01/27 00:02:00 | 000,086,016 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe

PRC - [2003/10/29 01:06:00 | 000,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe

PRC - [2003/09/10 01:24:00 | 000,020,480 | ---- | M] () -- C:\Program Files\NetWaiting\netwaiting.exe

========== Modules (SafeList) ==========

MOD - [2010/11/05 06:50:27 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rudy\Desktop\OTL.exe

MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/10/11 12:58:12 | 006,104,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)

SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)

SRV - [2010/09/10 01:45:22 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)

SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)

SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)

SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)

SRV - [2009/10/07 02:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)

SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)

SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2006/06/29 11:12:34 | 000,376,832 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)

SRV - [2006/05/01 08:34:00 | 000,262,217 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®

SRV - [2006/05/01 08:22:42 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®

SRV - [2006/05/01 08:20:52 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®

SRV - [2006/05/01 08:20:26 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®

SRV - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Rudy\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - [2010/09/13 16:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)

DRV - [2010/09/07 03:49:00 | 000,298,448 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)

DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)

DRV - [2010/09/07 03:48:54 | 000,249,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)

DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)

DRV - [2010/08/19 21:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)

DRV - [2010/08/19 21:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)

DRV - [2010/08/19 21:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)

DRV - [2009/10/07 02:49:50 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)

DRV - [2009/10/07 02:49:38 | 006,756,632 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 500(UVC)

DRV - [2009/10/07 02:47:55 | 000,266,008 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)

DRV - [2009/10/07 02:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)

DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 12:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/13 12:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2008/04/13 10:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)

DRV - [2006/10/07 13:31:09 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)

DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2006/05/24 17:07:18 | 000,328,237 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)

DRV - [2006/05/24 17:05:26 | 000,023,271 | ---- | M] (Broadcom Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)

DRV - [2006/05/24 17:04:04 | 000,851,434 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)

DRV - [2006/05/24 17:01:34 | 000,030,427 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)

DRV - [2006/05/24 17:01:22 | 000,030,285 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwmodem.sys -- (btwmodem)

DRV - [2006/05/24 17:00:50 | 000,066,488 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)

DRV - [2006/05/24 16:58:18 | 000,148,900 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)

DRV - [2006/05/24 16:57:00 | 000,045,683 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)

DRV - [2006/05/01 08:52:02 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2006/04/26 15:13:04 | 001,429,632 | ---- | M] (Intel

Elise · November 5, 2010

Hello again,

I recommend to uninstall Cyber Defender and see if that makes any difference.

Your Adobe software is outdated. I recommend to download and install the latest version of Adobe Reader (and any other Adobe product you might use, like Flash).

OTL FIX

------------

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the

textbox.

:otl
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

:commands
[emptytemp]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "JDK 6 Update 22 (JDK or JRE)".
Click the "Download JRE" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

RudyH · November 6, 2010

Elise,

I updated the software you specified and ran OTL.

All processes killed

========== OTL ==========

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56502 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 20114 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Rudy

->Temp folder emptied: 70865 bytes

->Temporary Internet Files folder emptied: 176840007 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Google Chrome cache emptied: 0 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 584 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 253460 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 53600616 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 220.00 mb

OTL by OldTimer - Version 3.2.17.2 log created on 11062010_115445

Files\Folders moved on Reboot...

C:\Documents and Settings\Rudy\Local Settings\Temporary Internet Files\Content.IE5\P1N7DLAA\iframe[1].htm moved successfully.

C:\Documents and Settings\Rudy\Local Settings\Temporary Internet Files\Content.IE5\M52SJ7V1\index[3].htm moved successfully.

C:\Documents and Settings\Rudy\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

C:\Documents and Settings\Rudy\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

Elise · November 6, 2010

Hi, do you have any problems left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  Note - when ESET doesn't find any threats, no report will be created.
12. Push the button.
13. Push

RudyH · November 6, 2010

Hello,

C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP19\A0006065.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

Just two lines,

R

Elise · November 7, 2010

Thats great, just some leftovers, which means you are good to go.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

Delete the tools used during the disinfection:
- Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
- Please rerun OTL and click the Cleanup button. Allow a reboot. This will remove all tools and logs.

Please read these advices, in order to prevent reinfecting your PC:

Install and update the following programs regularly:
- an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
  A comprehensive tutorial and a list of possible firewalls can be found here.
- an AntiVirus Software
  It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
- an Anti-Spyware program
  Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
  SUPERAntiSpyware is another good scanner with high detection and removal rates.
  Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
- Spyware Blaster
  A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
- MVPs hosts file
  A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Miekies' prevention suggestions
So How did I get infected?
Microsoft - 'Security at home'
Calendar of Updates: See which updates have been released.
How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
osalt: Find (free) open source alternatives to known commercial software.

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

RudyH · November 7, 2010

Hello again Elise

I have read your sggestions above, although I have not visited the links as yet. I have also attempted to run the combofix uninstall and was informed it would not uninstall properly as long as AVG is installed, so I thied to uninstall AVG only to be confronted with the following error message:

Severity: Error

Error Code: 0xC0070643

Error Message: General Internal Error

Additional Message: Removal of the Product Failed

Context: Uninstallation of AVG

Any suggestions about the AVG SNAFU? At this point I am not sure if I want to keep running AVG. I already have Microsoft Security Essentials and Malwarebytes free edition loaded. (Correction, I had to uninstall Microsoft Security Essentials in order to uninstall AVG. AAARRRGGH! Overkill of Anti-spyware junk on the machine--but right now I guess I'm more than just a little paranoid.)

I also have a question regarding the registry of my machine--Is there an application I can run to cleean up possible registry errors? Do you think I need to do this?

You had mentioned early on in the process that I may want to consider doing a "factory restore"--I think that is the correct term--of the OS of my machine once it was cleaned up. Do you think that is advisable at this point?

Finally, I want to thank you for your very patient and kind assistance. You are just "what the doctor ordered." My hat is off to you and your professional "Computer-side Manner." I am not sure where or how you got your training to hellp out poor souls like myself, but I can only say I appreciate the fact that there are people like you out there to give aid and assistance to those of us who are uninformed regarding the processes, procedures and software packages available to help us through a tough set of circumstances.

Thank you, again.

Rudy

Elise · November 7, 2010

Hi Rudy, try to run the AVG remover

You need to run only one Antivirus. I recommend MS security essentials over AVG since it has a better detection rate.

I also have a question regarding the registry of my machine--Is there an application I can run to cleean up possible registry errors? Do you think I need to do this?

I do not recommend using registry cleaners. In best case they do not improve a thing, in worst case they can do considerable damage.

Finally, I want to thank you for your very patient and kind assistance. You are just "what the doctor ordered." My hat is off to you and your professional "Computer-side Manner." I am not sure where or how you got your training to hellp out poor souls like myself, but I can only say I appreciate the fact that there are people like you out there to give aid and assistance to those of us who are uninformed regarding the processes, procedures and software packages available to help us through a tough set of circumstances.

Thank you for your kind words.

If you are interested in how I got training or maybe following some yourself, you can click the UNITE banner in my signature. You can click in the left panel of the site on "UNITE schools" to see where this training is offered.

Please let me know if this took care of the last problems and answered your questions.

RudyH · November 10, 2010

Elise,

Everything seems to be back to normal. Thank you again. I have been trying to get all of my programs up to date--no asy task.

I thought I would give the machine a couple of days--just in case somethihg cropped up. But all appears to be well.

Regards,

Rudy

Rudy is infected

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information