Browser hijack, google redirect

loki993 · November 27, 2010

Ok I seem to have some redirect malware. It will periodically pop up a new browser windows with some advertisement in it. Also every now and then it will redirect a search from google, I also tried yahoo and it did it there as well.

Malwarebytes doesn't pick anything up. Please take a look I cant figure anything out.

Heres dds:

DDS (Ver_10-11-27.01) - NTFS_AMD64

Run by glasgowr at 10:28:36.29 on Sat 11/27/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.1976.985 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

c:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe

c:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\AEADISRV.EXE

C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe

C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe

C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe

C:\Windows\system32\inetsrv\inetinfo.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe

C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files (x86)\IBM\Lotus\Notes\ntmulti.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe

C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Program Files (x86)\RA2HP\HPRAService.exe

C:\Program Files (x86)\Hewlett-Packard\PC COE\Ida.exe

C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe

C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe

C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

C:\PROGRA~2\HEWLET~1\PCCOE3~1\OVCMS~1\radalert.exe

C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

C:\Program Files (x86)\McAfee\Common Framework\McTray.exe

C:\Program Files (x86)\Level0\bin\sprtsvc.exe

C:\Program Files (x86)\Level0\bin\tgsrvc.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Users\glasgowr\Desktop\dds.scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://usahsbpo005.americas.cpqcorp.net/EKMS/WGI_GMSD_GLOBAL/

uDefault_Page_URL = hxxp://athp.hp.com

uInternet Settings,ProxyOverride = *.gm.com;*.eds.com;*.gmeds.com;*.allisontransmission.com;*.edssdn.com;*.edssdn.n

et;*.hp.com;*.hp.net;*.hpqcorp.net;*.cpqcorp.net;*.hpshopping.com;usplsmqm*;usah

s

mqm*;CAMKSMQM*;CACGSMQM*;161.14.*.*;164.56.170.250;204.105.*;204.104.*;204.103.*

;

205.239.*;207.37.*;207.169.*;164.56.169.*;192.85.*;130.170.220.106;129.124.64.20

9

;130.172.11.14;148.98.150.57;<local>

uInternet Settings,ProxyServer = web-proxy.atlanta.hp.com:8080

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [COEMsgDisplay] c:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe

mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfee Host Intrusion Prevention Tray] "C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Communicator] "c:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey

mRun: [HPRAService] C:\Program Files (x86)\RA2HP\HPRAService.exe

mRun: [iDA] c:\Program Files (x86)\Hewlett-Packard\PC COE\IDA.EXE

mRun: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Level0] "C:\Program Files (x86)\Level0\bin\sprtcmd.exe" /P Level0

mRun: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTIVC~1.LNK - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: HideFastUserSwitching = 1 (0x1)

mPolicies-system: DisableNT4Policy = 1 (0x1)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files (x86)\Hewlett-Packard\IEToolBar\HP IE Fix.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

Trusted Zone: compaq.com

Trusted Zone: compaq.com.ar

Trusted Zone: compaq.com.br

Trusted Zone: compaq.com.co

Trusted Zone: compaq.com.mx

Trusted Zone: compaq.com.sg

Trusted Zone: compaq.com.ve

Trusted Zone: cpqcorp.net

Trusted Zone: dcu.org

Trusted Zone: eds.com

Trusted Zone: hp.com

Trusted Zone: hpqcorp.net

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll

mASetup: {9AC2D554-AC12-4F1F-AAB9-E6363ADE5381} - "C:\Program Files (x86)\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"

mASetup: {AC76BA86-7AD7-1033-7B44-A93000000001} - msiexec.exe /fomus {AC76BA86-7AD7-1033-7B44-A93000000001} /qb!

mRun-x64: [acevents] "c:\Program Files\ActivIdentity\ActivClient\acevents.exe"

mRun-x64: [(Default)]

mRun-x64: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

mRun-x64: [igfxTray] C:\Windows\system32\igfxtray.exe

mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe

mRun-x64: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun-x64: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe

mRun-x64: [PasswordRegistration] C:\Windows\system32\MsPwdRegistration.exe

Hosts: 204.103.7.186 USAHSMAIC003 USAHSMAIC003.gls.gdad.edssdn.net

Hosts: 204.103.7.187 USAHSMAIC004 USAHSMAIC004.gls.gdad.edssdn.net

Hosts: 204.105.24.199 USPLSMAIC009 USPLSMAIC009.gls.gdad.edssdn.net

Hosts: 204.105.24.201 USPLSMAIC010 USPLSMAIC010.gls.gdad.edssdn.net

Hosts: 204.105.24.203 USPLSMAIC011 USPLSMAIC011.gls.gdad.edssdn.net

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-4-23 470424]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]

R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-3 277032]

R2 cpextender;Check Point SSL Network Extender;C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe [2009-4-2 353672]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe [2010-6-15 1498224]

R2 FIMPasswordReset;Forefront Identity Manager Password Reset Client Service;C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe [2010-8-18 75608]

R2 hips;McAfee HIPSCore Service;C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe [2010-11-4 39840]

R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2010-7-16 30520]

R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe [2008-12-6 3315080]

R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [2009-12-16 222528]

R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [2010-1-6 20792]

R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-9-24 120128]

R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe [2010-1-6 180968]

R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2010-1-6 66896]

R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2010-4-23 77968]

R2 radexecd;HPCA Notify Daemon;C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [2009-11-13 292584]

R2 radsched;HPCA Scheduler Daemon;C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [2009-11-13 186088]

R2 Radstgms;HPCA MSI Redirector;C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [2009-11-13 325352]

R2 sprtsvc_level0;SupportSoft Sprocket Service (level0);C:\Program Files (x86)\level0\bin\sprtsvc.exe [2008-6-6 202016]

R2 tgsrvc_level0;SupportSoft Repair Service (level0);C:\Program Files (x86)\level0\bin\tgsrvc.exe [2008-6-6 148768]

R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-10-12 228408]

R3 FirehkMP;FirehkMP;C:\Windows\System32\drivers\firehk.sys [2010-4-23 56648]

R3 HIPK;McAfee Inc. HIPK;C:\Windows\System32\drivers\HIPK.sys [2010-4-23 138904]

R3 HIPPSK;McAfee Inc. HIPPSK;C:\Windows\System32\drivers\HIPPSK.sys [2010-4-23 45424]

R3 HIPQK;McAfee Inc. HIPQK;C:\Windows\System32\drivers\HIPQK.sys [2010-4-23 40152]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-4-23 120096]

R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]

R3 RadiaMsi;RadiaMsi;C:\Windows\System32\drivers\radiamsi.sys [2009-9-10 43032]

R3 VNA;Check Point Virtual Network Adapter;C:\Windows\System32\drivers\vna.sys [2009-11-2 161256]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 Firehk;McAfee NDIS Intermediate Filter;C:\Windows\System32\drivers\firehk.sys [2010-4-23 56648]

S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-4-23 78896]

S3 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2009-7-2 60416]

S3 risdpcie;risdpcie;C:\Windows\System32\drivers\risdpe64.sys [2009-7-1 80896]

S3 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2009-7-4 55808]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-11-16 1255736]

=============== Created Last 30 ================

2010-11-27 15:23:37 47080 ----a-w- C:\Windows\System32\HIPIS0e011b5.dll

2010-11-27 15:23:37 40328 ----a-w- C:\Windows\SysWow64\HIPIS0e011b5.dll

2010-11-27 15:11:06 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2010-11-27 15:11:00 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2010-11-25 03:07:45 -------- d-----w- C:\Users\glasgowr\AppData\Roaming\Malwarebytes

2010-11-25 03:07:33 -------- d-----w- C:\PROGRA~3\Malwarebytes

2010-11-25 03:07:32 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys

2010-11-24 22:07:08 92 ----a-w- C:\Users\glasgowr\AppData\Local\A498.tmp

2010-11-24 13:40:21 92 ----a-w- C:\Users\glasgowr\AppData\Local\A7F5.tmp

2010-11-23 23:58:19 92 ----a-w- C:\Users\glasgowr\AppData\Local\3623.tmp

2010-11-23 15:58:21 92 ----a-w- C:\Users\glasgowr\AppData\Local\C922.tmp

2010-11-23 13:30:30 92 ----a-w- C:\Users\glasgowr\AppData\Local\6921.tmp

2010-11-22 23:45:26 92 ----a-w- C:\Users\glasgowr\AppData\Local\6D74.tmp

2010-11-22 23:34:04 92 ----a-w- C:\Users\glasgowr\AppData\Local\585E.tmp

2010-11-22 23:34:04 346003 ----a-w- C:\Users\glasgowr\AppData\Local\57A2.tmp

2010-11-22 23:34:04 346003 ----a-w- C:\Users\glasgowr\AppData\Local\5791.tmp

2010-11-22 13:36:41 92 ----a-w- C:\Users\glasgowr\AppData\Local\6837.tmp

2010-11-19 23:35:58 92 ----a-w- C:\Users\glasgowr\AppData\Local\6E5E.tmp

2010-11-19 13:39:34 92 ----a-w- C:\Users\glasgowr\AppData\Local\6634.tmp

2010-11-19 00:29:20 92 ----a-w- C:\Users\glasgowr\AppData\Local\B389.tmp

2010-11-18 13:29:59 92 ----a-w- C:\Users\glasgowr\AppData\Local\946.tmp

2010-11-17 23:33:16 92 ----a-w- C:\Users\glasgowr\AppData\Local\9C31.tmp

2010-11-17 13:31:37 92 ----a-w- C:\Users\glasgowr\AppData\Local\BFB8.tmp

2010-11-17 00:34:01 -------- d-----w- C:\Windows\SysWow64\Wat

2010-11-17 00:34:00 -------- d-----w- C:\Windows\System32\Wat

2010-11-17 00:27:29 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys

2010-11-17 00:23:20 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys

2010-11-17 00:16:43 92 ----a-w- C:\Users\glasgowr\AppData\Local\6450.tmp

2010-11-17 00:16:43 346003 ----a-w- C:\Users\glasgowr\AppData\Local\63C3.tmp

2010-11-17 00:16:43 346003 ----a-w- C:\Users\glasgowr\AppData\Local\63B2.tmp

2010-11-16 23:59:51 92 ----a-w- C:\Users\glasgowr\AppData\Local\4CFD.tmp

2010-11-16 23:37:09 92 ----a-w- C:\Users\glasgowr\AppData\Local\84DA.tmp

2010-11-16 13:42:07 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll

2010-11-16 13:42:07 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll

2010-11-16 13:42:07 48960 ----a-w- C:\Windows\System32\netfxperf.dll

2010-11-16 13:42:07 444752 ----a-w- C:\Windows\System32\mscoree.dll

2010-11-16 13:42:07 320352 ----a-w- C:\Windows\System32\PresentationHost.exe

2010-11-16 13:42:07 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll

2010-11-16 13:42:07 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe

2010-11-16 13:42:07 1942856 ----a-w- C:\Windows\System32\dfshim.dll

2010-11-16 13:42:07 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll

2010-11-16 13:42:07 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll

2010-11-16 13:36:10 92 ----a-w- C:\Users\glasgowr\AppData\Local\4D96.tmp

2010-11-15 15:40:44 92 ----a-w- C:\Users\glasgowr\AppData\Local\3526.tmp

2010-11-08 17:02:17 -------- d-----w- C:\Users\glasgowr\AppData\Local\Apps

2010-11-08 15:40:55 148992 ----a-w- C:\Windows\System32\t2embed.dll

2010-11-08 15:40:55 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll

2010-11-08 15:40:48 2085376 ----a-w- C:\Windows\System32\ole32.dll

2010-11-08 15:40:48 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll

2010-11-08 15:40:47 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe

2010-11-08 15:40:47 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe

2010-11-08 15:40:40 483840 ----a-w- C:\Windows\System32\StructuredQuery.dll

2010-11-08 15:40:40 363520 ----a-w- C:\Windows\SysWow64\StructuredQuery.dll

2010-11-08 15:39:58 633856 ----a-w- C:\Windows\System32\comctl32.dll

2010-11-08 15:39:58 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll

2010-11-05 14:39:45 9728 ----a-w- C:\Windows\SysWow64\sscore.dll

2010-11-05 14:39:45 463360 ----a-w- C:\Windows\System32\drivers\srv.sys

2010-11-05 14:39:45 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys

2010-11-05 14:39:45 236032 ----a-w- C:\Windows\System32\srvsvc.dll

2010-11-05 14:39:45 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys

2010-11-05 14:37:39 3123712 ----a-w- C:\Windows\System32\win32k.sys

2010-11-01 21:03:17 -------- d-----w- C:\Users\glasgowr\net

2010-11-01 21:01:49 -------- d-----w- C:\Program Files (x86)\Common Files\Research In Motion

2010-11-01 21:01:07 -------- d-----w- C:\Program Files (x86)\Research In Motion

2010-11-01 12:54:06 -------- d-----w- C:\Users\glasgowr\AppData\Local\Lotus

==================== Find3M ====================

2010-11-04 05:42:20 136512 ----a-w- C:\Windows\SysWow64\KevlarSigs.dll

2010-10-22 12:51:01 627712 ----a-w- C:\Windows\SysWow64\gpprefbr.dll

2010-10-22 12:51:00 2548736 ----a-w- C:\Windows\SysWow64\propshts.dll

2010-10-22 12:50:59 4342272 ----a-w- C:\Windows\SysWow64\gppref.dll

2010-10-22 12:50:59 225280 ----a-w- C:\Windows\SysWow64\gpregistrybrowser.dll

2010-10-22 12:50:59 166400 ----a-w- C:\Windows\SysWow64\gpprefcn.dll

2010-10-22 12:50:57 901632 ----a-w- C:\Windows\System32\gpprefbr.dll

2010-10-22 12:50:56 3787776 ----a-w- C:\Windows\System32\propshts.dll

2010-10-22 12:50:54 4887552 ----a-w- C:\Windows\System32\gppref.dll

2010-10-22 12:50:54 302080 ----a-w- C:\Windows\System32\gpregistrybrowser.dll

2010-10-22 12:50:54 236032 ----a-w- C:\Windows\System32\gpprefcn.dll

2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll

2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec

2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec

2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL

2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL

2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll

2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll

============= FINISH: 10:30:20.01 ===============

Attach.zip

ark.zip

Elise · November 28, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Push the Quick Scan button.
[*]Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

extract RKUnhooker to your desktop
- Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
  you can get a free one from here -
http://www.7-zip.org/

Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
A new OTL log (don't forget extra.txt)
RKU log

Thanks and again sorry for the delay.

loki993 · November 28, 2010

OTL logfile created on: 11/28/2010 10:19:43 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\glasgowr\Desktop

64bit- Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free

4.00 Gb Paging File | 2.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 149.05 Gb Total Space | 119.81 Gb Free Space | 80.38% Space Free | Partition Type: NTFS

Computer Name: RGLASGOW1 | User Name: glasgowr | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/28 10:14:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\glasgowr\Desktop\OTL.exe

PRC - [2010/06/15 10:57:02 | 001,498,224 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe

PRC - [2010/06/15 10:57:00 | 000,979,104 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe

PRC - [2010/01/06 15:07:00 | 000,083,280 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe

PRC - [2010/01/06 15:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

PRC - [2009/12/16 19:31:06 | 000,222,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe

PRC - [2009/11/13 10:45:20 | 000,325,352 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

PRC - [2009/11/13 10:44:52 | 000,186,088 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

PRC - [2009/11/13 10:43:06 | 000,292,584 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

PRC - [2009/11/13 10:42:00 | 000,443,960 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radalert.exe

PRC - [2009/09/24 23:50:00 | 000,992,576 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe

PRC - [2009/09/24 23:50:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe

PRC - [2009/09/24 23:50:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe

PRC - [2009/09/24 23:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe

PRC - [2009/09/24 23:50:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\McTray.exe

PRC - [2009/08/25 09:57:52 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe

PRC - [2009/08/25 09:57:44 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2009/06/02 14:05:46 | 000,076,344 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe

PRC - [2009/05/18 08:28:04 | 001,314,816 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

PRC - [2009/04/02 14:03:40 | 000,353,672 | ---- | M] (Check Point Software Technologies) -- C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe

PRC - [2008/12/06 07:37:30 | 000,058,760 | ---- | M] (IBM Corp) -- C:\Program Files (x86)\IBM\Lotus\Notes\ntmulti.exe

PRC - [2008/12/06 07:36:38 | 003,315,080 | ---- | M] (IBM) -- C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe

PRC - [2008/08/12 06:33:42 | 000,176,128 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Hewlett-Packard\PC COE\Ida.exe

PRC - [2008/06/06 12:22:42 | 000,148,768 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\level0\bin\tgsrvc.exe

PRC - [2008/06/06 12:22:40 | 000,202,016 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\level0\bin\sprtsvc.exe

PRC - [2008/06/06 12:22:34 | 000,202,016 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\level0\bin\sprtcmd.exe

PRC - [2007/04/11 16:44:46 | 000,026,624 | ---- | M] (Hewlett Packard) -- C:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe

========== Modules (SafeList) ==========

MOD - [2010/11/28 10:14:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\glasgowr\Desktop\OTL.exe

MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

MOD - [2009/07/13 20:15:31 | 000,154,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\imagehlp.dll

MOD - [2009/07/13 20:09:00 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\normaliz.dll

MOD - [2008/06/06 12:22:38 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\level0\bin\sprthook.dll

MOD - [2008/06/06 12:22:34 | 000,053,248 | ---- | M] (SupportSoft) -- C:\Program Files (x86)\level0\bin\sdcidle.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/08/18 18:23:48 | 000,075,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe -- (FIMPasswordReset)

SRV:64bit: - [2010/07/16 15:03:58 | 000,030,520 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\hpservice.exe -- (hpsrv)

SRV:64bit: - [2010/06/15 10:57:12 | 000,077,968 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)

SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV:64bit: - [2009/07/13 20:39:13 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)

SRV:64bit: - [2009/06/03 11:38:36 | 000,277,032 | ---- | M] (ActivIdentity) [Auto | Running] -- c:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe -- (ac.sharedstore)

SRV:64bit: - [2008/07/15 08:09:48 | 000,111,616 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AEADISRV.EXE -- (AEADIFilters)

SRV - [2010/06/15 10:57:12 | 000,039,840 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe -- (hips)

SRV - [2010/06/15 10:57:02 | 001,498,224 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe -- (enterceptAgent)

SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/01/06 15:07:00 | 000,180,968 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe -- (McShield)

SRV - [2010/01/06 15:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)

SRV - [2010/01/06 15:07:00 | 000,020,792 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe -- (McAfeeEngineService)

SRV - [2009/12/16 19:31:06 | 000,222,528 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe -- (McAfee SiteAdvisor Enterprise Service)

SRV - [2009/11/13 10:45:20 | 000,325,352 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe -- (Radstgms)

SRV - [2009/11/13 10:44:52 | 000,186,088 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe -- (radsched)

SRV - [2009/11/13 10:43:06 | 000,292,584 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe -- (radexecd)

SRV - [2009/09/24 23:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2009/08/25 09:57:52 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2009/04/02 14:03:40 | 000,353,672 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe -- (cpextender)

SRV - [2008/12/06 07:37:30 | 000,058,760 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Program Files (x86)\IBM\Lotus\Notes\ntmulti.exe -- (Multi-user Cleanup Service)

SRV - [2008/12/06 07:36:38 | 003,315,080 | ---- | M] (IBM) [Auto | Running] -- C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe -- (Lotus Notes Diagnostics)

SRV - [2008/06/06 12:22:42 | 000,394,608 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)

SRV - [2008/06/06 12:22:42 | 000,148,768 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Level0\bin\tgsrvc.exe -- (tgsrvc_level0) SupportSoft Repair Service (level0)

SRV - [2008/06/06 12:22:40 | 000,202,016 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Level0\bin\sprtsvc.exe -- (sprtsvc_level0) SupportSoft Sprocket Service (level0)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/07/16 15:04:04 | 000,030,008 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\hpdskflt.sys -- (hpdskflt)

DRV:64bit: - [2010/07/16 15:03:48 | 000,043,320 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Accelerometer.sys -- (Accelerometer)

DRV:64bit: - [2010/06/15 10:57:12 | 000,098,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)

DRV:64bit: - [2010/06/15 10:57:10 | 000,470,424 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)

DRV:64bit: - [2010/06/15 10:57:10 | 000,138,904 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HIPK.sys -- (HIPK)

DRV:64bit: - [2010/06/15 10:57:10 | 000,084,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfetdik.sys -- (mfetdik)

DRV:64bit: - [2010/06/15 10:57:10 | 000,045,424 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HIPPSK.sys -- (HIPPSK)

DRV:64bit: - [2010/06/15 10:57:10 | 000,040,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HIPQK.sys -- (HIPQK)

DRV:64bit: - [2010/06/15 10:57:02 | 000,254,520 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\FireTDI.sys -- (FireTDI)

DRV:64bit: - [2010/06/15 10:57:02 | 000,186,784 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\FirePM.sys -- (FirePM)

DRV:64bit: - [2010/06/15 10:57:00 | 000,038,968 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\firelm01.sys -- (firelm01)

DRV:64bit: - [2010/06/04 02:18:56 | 001,379,376 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)

DRV:64bit: - [2010/02/25 00:02:38 | 000,019,000 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CPQBttn.sys -- (HBtnKey)

DRV:64bit: - [2010/01/13 16:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®

DRV:64bit: - [2010/01/06 15:07:00 | 000,120,096 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)

DRV:64bit: - [2010/01/06 15:07:00 | 000,078,896 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)

DRV:64bit: - [2009/12/31 05:04:57 | 000,360,712 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm)

DRV:64bit: - [2009/11/02 17:43:16 | 000,161,256 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vna.sys -- (VNA)

DRV:64bit: - [2009/09/22 20:46:18 | 000,066,304 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr)

DRV:64bit: - [2009/09/22 20:32:39 | 000,095,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb)

DRV:64bit: - [2009/09/22 20:32:33 | 000,187,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus)

DRV:64bit: - [2009/09/10 18:19:10 | 000,043,032 | ---- | M] (Hewlett Packard) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\radiamsi.sys -- (RadiaMsi)

DRV:64bit: - [2009/08/07 05:24:14 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)

DRV:64bit: - [2009/07/28 15:35:52 | 007,345,632 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)

DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/07/13 18:21:48 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM)

DRV:64bit: - [2009/07/13 16:59:33 | 005,020,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)

DRV:64bit: - [2009/07/04 14:27:02 | 000,055,808 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rixdpe64.sys -- (rixdpcie)

DRV:64bit: - [2009/07/02 03:54:52 | 000,060,416 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rimspe64.sys -- (rimspci)

DRV:64bit: - [2009/07/01 13:31:58 | 000,080,896 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\risdpe64.sys -- (risdpcie)

DRV:64bit: - [2009/07/01 07:46:48 | 000,132,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)

DRV:64bit: - [2009/07/01 07:46:40 | 000,021,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)

DRV:64bit: - [2009/06/25 12:04:20 | 000,067,584 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk)

DRV:64bit: - [2009/06/25 11:38:52 | 000,057,856 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp)

DRV:64bit: - [2009/06/25 11:13:44 | 000,055,296 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk)

DRV:64bit: - [2009/06/10 16:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)

DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/05/18 08:31:56 | 000,497,152 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV:64bit: - [2009/04/29 03:48:32 | 000,018,432 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)

DRV:64bit: - [2008/10/17 10:26:24 | 000,056,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\firehk.sys -- (FirehkMP)

DRV:64bit: - [2008/10/17 10:26:24 | 000,056,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\firehk.sys -- (Firehk)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http://autocache.hp.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com

IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://usahsbpo005.americas.cpqcorp.net/EK...GI_GMSD_GLOBAL/

IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)

IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.gm.com;*.eds.com;*.gmeds.com;*.allisontransmission.com;*.edssdn.com;*.edssdn.n

et;*.hp.com;*.hp.net;*.hpqcorp.net;*.cpqcorp.net;*.hpshopping.com;usplsmqm*;usah

s

mqm*;CAMKSMQM*;CACGSMQM*;161.14.*.*;164.56.170.250;204.105.*;204.104.*;204.103.*

;

205.239.*;207.37.*;207.169.*;164.56.169.*;192.85.*;130.170.220.106;129.124.64.20

9

;130.172.11.14;148.98.150.57;<local>

IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = web-proxy.atlanta.hp.com:8080

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\ [2010/11/24 22:26:29 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/10/22 07:45:05 | 000,001,564 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 204.103.7.186 USAHSMAIC003 USAHSMAIC003.gls.gdad.edssdn.net

O1 - Hosts: 204.103.7.187 USAHSMAIC004 USAHSMAIC004.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.199 USPLSMAIC009 USPLSMAIC009.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.201 USPLSMAIC010 USPLSMAIC010.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.203 USPLSMAIC011 USPLSMAIC011.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.205 USPLSMAIC012 USPLSMAIC012.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.207 USPLSMAIC013 USPLSMAIC013.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.209 USPLSMAIC014 USPLSMAIC014.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.211 USPLSMAIC015 USPLSMAIC015.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.213 USPLSMAIC016 USPLSMAIC016.gls.gdad.edssdn.net

O1 - Hosts: 204.105.24.215 USPLSMAIC017 USPLSMAIC017.gls.gdad.edssdn.net

O1 - Hosts: 192.100.46.100 USPLSMAIC018 USPLSMAIC018.amer.corp.eds.com

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)

O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4:64bit: - HKLM..\Run: [] File not found

O4:64bit: - HKLM..\Run: [accrdsub] c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)

O4:64bit: - HKLM..\Run: [acevents] c:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity)

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [PasswordRegistration] C:\Windows\SysNative\MsPwdRegistration.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [COEMsgDisplay] c:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe (Hewlett Packard)

O4 - HKLM..\Run: [Communicator] c:\Program Files (x86)\Microsoft Office Communicator\communicator.exe (Microsoft Corporation)

O4 - HKLM..\Run: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [HPRAService] C:\Program Files (x86)\RA2HP\HPRAService.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [iDA] c:\Program Files (x86)\Hewlett-Packard\PC COE\Ida.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [Level0] C:\Program Files (x86)\Level0\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKLM..\Run: [McAfee Host Intrusion Prevention Tray] C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKU\S-1-5-19..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found

O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\SysWow64\mctadmin.exe File not found

O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reg_off2k7.lnk = C:\Users\glasgowr\reg_off2k7.vbs File not found

O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reg_off2k7.lnk = C:\Users\glasgowr\reg_off2k7.vbs File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: nodrivetypeautorun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableNT4Policy = 1

O7 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files (x86)\Hewlett-Packard\IEToolBar\HP IE Fix.exe (Hewlett-Packard Company)

O9 - Extra 'Tools' menuitem : Fix Common Internet Explorer Problems - {E270AB82-96D5-45DB-ABE3-0BC038B92334} - C:\Program Files (x86)\Hewlett-Packard\IEToolBar\HP IE Fix.exe (Hewlett-Packard Company)

O13 - gopher Prefix: missing

O15 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..Trusted Domains: dcu.org ([]* in Local intranet)

O15 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..Trusted Domains: dcu.org ([]http in Trusted sites)

O15 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..Trusted Domains: dcu.org ([]https in Trusted sites)

O15 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..Trusted Domains: eds.com ([]* in Trusted sites)

O15 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..Trusted Ranges: Range1 ([http] in Trusted sites)

O15 - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\..Trusted Ranges: Range2 ([http] in Trusted sites)

O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} https://abhgm.vpn.eds.com/extender.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/28 10:19:09 | 000,000,000 | ---D | C] -- C:\Users\glasgowr\Desktop\RkU3.8.388.590

[2010/11/28 10:17:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip

[2010/11/28 10:14:17 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\glasgowr\Desktop\OTL.exe

[2010/11/28 10:10:05 | 000,047,080 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysNative\HIPIS0e011b5.dll

[2010/11/28 10:10:05 | 000,040,328 | ---- | C] (McAfee, Inc.) -- C:\Windows\SysWow64\HIPIS0e011b5.dll

[2010/11/27 10:11:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2010/11/27 10:11:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2010/11/27 10:07:54 | 000,000,000 | ---D | C] -- C:\Users\glasgowr\Desktop\other

[2010/11/24 22:07:45 | 000,000,000 | ---D | C] -- C:\Users\glasgowr\AppData\Roaming\Malwarebytes

[2010/11/24 22:07:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2010/11/24 22:07:32 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2010/11/24 08:32:21 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2010/11/16 19:34:01 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat

[2010/11/16 19:34:00 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat

[2010/11/12 13:55:52 | 106,061,393 | ---- | C] (Research In Motion) -- C:\Users\glasgowr\Desktop\BlackBerry_Simulators_5.0.0.713_9550.exe

[2010/11/12 13:37:30 | 115,641,769 | ---- | C] (Research In Motion) -- C:\Users\glasgowr\Desktop\BlackBerry_Simulators_5.0.0.833_9650.exe

[2010/11/09 11:52:49 | 000,000,000 | ---D | C] -- C:\Windows\Sun

[2010/11/08 12:02:17 | 000,000,000 | ---D | C] -- C:\Users\glasgowr\AppData\Local\Apps

[2010/11/01 16:03:17 | 000,000,000 | ---D | C] -- C:\Users\glasgowr\net

[2010/11/01 16:01:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Research In Motion

[2010/11/01 16:01:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Research In Motion

[2010/11/01 14:56:52 | 086,421,155 | ---- | C] (Research In Motion) -- C:\Users\glasgowr\Desktop\BlackBerry_Simulators_5.0.0.484_9630.exe

[2010/11/01 14:36:11 | 085,129,184 | ---- | C] (Research In Motion) -- C:\Users\glasgowr\Desktop\BlackBerry_Simulators_4.7.1.65_9630.exe

[2010/11/01 07:54:06 | 000,000,000 | ---D | C] -- C:\Users\glasgowr\AppData\Local\Lotus

[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

[23 C:\Users\glasgowr\AppData\Local\*.tmp files -> C:\Users\glasgowr\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/28 10:26:36 | 000,000,278 | -H-- | M] () -- C:\Windows\tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

[2010/11/28 10:17:56 | 000,737,056 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/11/28 10:17:56 | 000,633,448 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/11/28 10:17:56 | 000,109,608 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/11/28 10:17:46 | 000,015,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010/11/28 10:17:46 | 000,015,360 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010/11/28 10:16:18 | 001,110,476 | ---- | M] () -- C:\Users\glasgowr\Desktop\7z920.exe

[2010/11/28 10:14:50 | 000,629,057 | ---- | M] () -- C:\Users\glasgowr\Desktop\RkU3.8.388.590.rar

[2010/11/28 10:14:26 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\glasgowr\Desktop\OTL.exe

[2010/11/28 10:11:05 | 000,000,338 | -H-- | M] () -- C:\Windows\tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

[2010/11/28 10:11:03 | 000,000,346 | -H-- | M] () -- C:\Windows\tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

[2010/11/28 10:11:01 | 000,000,380 | -H-- | M] () -- C:\Windows\tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

[2010/11/28 10:11:00 | 000,000,392 | -H-- | M] () -- C:\Windows\tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

[2010/11/28 10:10:07 | 000,040,866 | ---- | M] () -- C:\Windows\SysWow64\api_hook_list.dat

[2010/11/28 10:10:07 | 000,002,033 | ---- | M] () -- C:\Windows\SysNative\api_hook_list.dat

[2010/11/28 10:09:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/11/28 10:09:43 | 1554,202,624 | -HS- | M] () -- C:\hiberfil.sys

[2010/11/27 11:25:06 | 000,000,348 | ---- | M] () -- C:\Users\glasgowr\Desktop\ark.zip

[2010/11/27 11:24:51 | 000,004,240 | ---- | M] () -- C:\Users\glasgowr\Desktop\Attach.zip

[2010/11/27 10:17:47 | 000,000,000 | ---- | M] () -- C:\Users\glasgowr\defogger_reenable

[2010/11/27 10:11:09 | 000,001,019 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/27 10:09:43 | 000,630,272 | ---- | M] () -- C:\Users\glasgowr\Desktop\dds.scr

[2010/11/26 15:32:03 | 000,341,361 | ---- | M] () -- C:\Users\glasgowr\Desktop\gmacsites.rtf

[2010/11/26 15:31:20 | 000,013,318 | ---- | M] () -- C:\Users\glasgowr\Desktop\GMAC Stuff.xlsx

[2010/11/26 14:35:43 | 000,016,753 | RHS- | M] () -- C:\ProgramData\ntuser.pol

[2010/11/26 14:35:20 | 000,004,926 | RHS- | M] () -- C:\Users\glasgowr\ntuser.pol

[2010/11/26 11:21:56 | 000,001,832 | ---- | M] () -- C:\Users\glasgowr\AppData\Local\SLC_glasgowr.prx

[2010/11/26 08:47:46 | 000,007,754 | ---- | M] () -- C:\Users\glasgowr\AppData\Local\RAExpertHistory.xml

[2010/11/26 07:59:29 | 000,002,034 | -H-- | M] () -- C:\Users\glasgowr\Documents\Default.rdp

[2010/11/24 14:06:45 | 000,943,889 | ---- | M] () -- C:\Users\glasgowr\Desktop\Black Friday Movies & TV Deals Calendar.mht

[2010/11/24 08:32:17 | 372,526,149 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010/11/16 08:42:46 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_SynTP_01009.Wdf

[2010/11/12 13:55:52 | 106,061,393 | ---- | M] (Research In Motion) -- C:\Users\glasgowr\Desktop\BlackBerry_Simulators_5.0.0.713_9550.exe

[2010/11/12 13:37:31 | 115,641,769 | ---- | M] (Research In Motion) -- C:\Users\glasgowr\Desktop\BlackBerry_Simulators_5.0.0.833_9650.exe

[2010/11/08 19:36:24 | 000,003,164 | ---- | M] () -- C:\Windows\SysWow64\SiteList.xml

[2010/11/08 16:18:18 | 000,090,624 | ---- | M] () -- C:\Users\glasgowr\Desktop\IDCreationDeletionForm.doc

[2010/11/05 18:17:07 | 000,480,520 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2010/11/04 00:42:20 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysWow64\KevlarSigs.dll

[2010/11/02 09:31:26 | 000,007,606 | ---- | M] () -- C:\Users\glasgowr\AppData\Local\Resmon.ResmonCfg

[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

[23 C:\Users\glasgowr\AppData\Local\*.tmp files -> C:\Users\glasgowr\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/28 10:16:18 | 001,110,476 | ---- | C] () -- C:\Users\glasgowr\Desktop\7z920.exe

[2010/11/28 10:14:41 | 000,629,057 | ---- | C] () -- C:\Users\glasgowr\Desktop\RkU3.8.388.590.rar

[2010/11/28 10:11:03 | 000,000,338 | -H-- | C] () -- C:\Windows\tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

[2010/11/28 10:11:01 | 000,000,346 | -H-- | C] () -- C:\Windows\tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

[2010/11/28 10:11:00 | 000,000,380 | -H-- | C] () -- C:\Windows\tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

[2010/11/28 10:10:59 | 000,000,392 | -H-- | C] () -- C:\Windows\tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

[2010/11/28 10:10:46 | 000,000,278 | -H-- | C] () -- C:\Windows\tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

[2010/11/28 10:10:07 | 000,040,866 | ---- | C] () -- C:\Windows\SysWow64\api_hook_list.dat

[2010/11/28 10:10:07 | 000,002,033 | ---- | C] () -- C:\Windows\SysNative\api_hook_list.dat

[2010/11/27 11:25:06 | 000,000,348 | ---- | C] () -- C:\Users\glasgowr\Desktop\ark.zip

[2010/11/27 11:24:51 | 000,004,240 | ---- | C] () -- C:\Users\glasgowr\Desktop\Attach.zip

[2010/11/27 10:17:47 | 000,000,000 | ---- | C] () -- C:\Users\glasgowr\defogger_reenable

[2010/11/27 10:11:09 | 000,001,019 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/27 10:09:31 | 000,630,272 | ---- | C] () -- C:\Users\glasgowr\Desktop\dds.scr

[2010/11/26 15:32:03 | 000,341,361 | ---- | C] () -- C:\Users\glasgowr\Desktop\gmacsites.rtf

[2010/11/26 15:31:19 | 000,013,318 | ---- | C] () -- C:\Users\glasgowr\Desktop\GMAC Stuff.xlsx

[2010/11/24 14:06:43 | 000,943,889 | ---- | C] () -- C:\Users\glasgowr\Desktop\Black Friday Movies & TV Deals Calendar.mht

[2010/11/24 08:32:17 | 372,526,149 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2010/11/16 08:42:46 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_SynTP_01009.Wdf

[2010/11/15 10:40:44 | 000,001,832 | ---- | C] () -- C:\Users\glasgowr\AppData\Local\SLC_glasgowr.prx

[2010/11/08 19:36:24 | 000,003,164 | ---- | C] () -- C:\Windows\SysWow64\SiteList.xml

[2010/11/08 16:18:17 | 000,090,624 | ---- | C] () -- C:\Users\glasgowr\Desktop\IDCreationDeletionForm.doc

[2010/11/02 09:31:26 | 000,007,606 | ---- | C] () -- C:\Users\glasgowr\AppData\Local\Resmon.ResmonCfg

[2010/10/22 12:13:22 | 000,007,754 | ---- | C] () -- C:\Users\glasgowr\AppData\Local\RAExpertHistory.xml

[2010/10/22 07:51:31 | 000,001,311 | ---- | C] () -- C:\Windows\SysWow64\DfsMgmt.dll.config

[2010/10/22 07:22:58 | 000,025,858 | ---- | C] () -- C:\Windows\Qavery.ini

[2010/10/22 07:22:58 | 000,003,333 | ---- | C] () -- C:\Windows\ccq_contact.ini

[2010/10/22 07:22:58 | 000,003,269 | ---- | C] () -- C:\Windows\ccq_request.ini

[2010/10/22 07:22:58 | 000,003,037 | ---- | C] () -- C:\Windows\ccq_cr_contact.ini

[2010/10/22 07:22:58 | 000,002,906 | ---- | C] () -- C:\Windows\ccq_cr_request.ini

[2010/10/22 07:22:58 | 000,002,706 | ---- | C] () -- C:\Windows\salesq.ini

[2010/10/22 07:22:58 | 000,002,009 | ---- | C] () -- C:\Windows\consumerq.ini

[2010/10/22 07:22:58 | 000,001,993 | ---- | C] () -- C:\Windows\ccq_cr.ini

[2010/10/22 07:22:58 | 000,001,796 | ---- | C] () -- C:\Windows\callcenterq.ini

[2010/10/22 07:22:58 | 000,001,544 | ---- | C] () -- C:\Windows\listq.ini

[2010/10/22 07:22:58 | 000,000,124 | ---- | C] () -- C:\Windows\qui.ini

[2010/10/22 07:22:58 | 000,000,087 | ---- | C] () -- C:\Windows\qconsole.ini

[2010/10/22 06:49:24 | 000,733,320 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2010/10/22 06:48:04 | 000,000,000 | ---- | C] () -- C:\Users\glasgowr\AppData\Local\QSwitch.txt

[2010/10/22 06:48:04 | 000,000,000 | ---- | C] () -- C:\Users\glasgowr\AppData\Local\DSwitch.txt

[2010/10/22 06:48:04 | 000,000,000 | ---- | C] () -- C:\Users\glasgowr\AppData\Local\AtStart.txt

[2010/10/22 06:38:10 | 000,016,753 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2010/10/12 14:46:50 | 000,000,190 | ---- | C] () -- C:\ProgramData\HPWALog.txt

[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2007/05/30 02:56:40 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\jdde.dll

========== LOP Check ==========

[2010/10/13 10:42:58 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\domino

[2010/10/22 09:32:49 | 000,000,000 | ---D | M] -- C:\Users\glasgowr\AppData\Roaming\Check Point

[2010/10/22 09:14:25 | 000,000,000 | ---D | M] -- C:\Users\glasgowr\AppData\Roaming\ICAClient

[2010/11/28 10:11:01 | 000,000,380 | -H-- | M] () -- C:\Windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job

[2010/11/28 10:11:03 | 000,000,346 | -H-- | M] () -- C:\Windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job

[2010/11/28 10:11:05 | 000,000,338 | -H-- | M] () -- C:\Windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job

[2010/11/28 10:26:36 | 000,000,278 | -H-- | M] () -- C:\Windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job

[2010/11/28 10:11:00 | 000,000,392 | -H-- | M] () -- C:\Windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job

[2009/07/14 00:08:49 | 000,016,232 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Extras:

OTL Extras logfile created on: 11/28/2010 10:19:43 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\glasgowr\Desktop

64bit- Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free

4.00 Gb Paging File | 2.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 149.05 Gb Total Space | 119.81 Gb Free Space | 80.38% Space Free | Partition Type: NTFS

Computer Name: RGLASGOW1 | User Name: glasgowr | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.url [@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

helpfile [open] -- Reg Error: Key error.

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 1

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 1

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 1

"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\PROGRA~2\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe" = C:\PROGRA~2\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe:*:Enabled:HPCA Notify Daemon -- (Hewlett-Packard)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{1374CC63-B520-4f3f-98E8-E9020BF01CFF}" = Windows XP Mode

"{82602802-91A2-449B-98BF-7F86BDE7F7E5}" = Forefront Identity Manager Add-ins and Extensions

"{86E45973-5352-439F-A115-2E8EE4D40140}" = ActivClient x64

"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007

"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007

"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel

Elise · November 28, 2010

Hi, please let me know how things are running after the following fix.

OTL FIX

------------

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the

textbox.

:otl
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http://autocache.hp.com
IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.gm.com;*.eds.com;*.gmeds.com;*.allisontransmission.com;*.edssdn.com;*.edssdn.n
et;*.hp.com;*.hp.net;*.hpqcorp.net;*.cpqcorp.net;*.hpshopping.com;usplsmqm*;usah
s
mqm*;CAMKSMQM*;CACGSMQM*;161.14.*.*;164.56.170.250;204.105.*;204.104.*;204.103.*
;
205.239.*;207.37.*;207.169.*;164.56.169.*;192.85.*;130.170.220.106;129.124.64.20
9
;130.172.11.14;148.98.150.57;<local>
IE - HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = web-proxy.atlanta.hp.com:8080

:commands
[emptytemp]
[resethosts]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.

loki993 · November 28, 2010

All processes killed

========== OTL ==========

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKU\S-1-5-21-839522115-1383384898-515967899-2375751\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 519905704 bytes

->Temporary Internet Files folder emptied: 7712900 bytes

->Flash cache emptied: 714 bytes

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 434 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: glasgowr

->Temp folder emptied: 4865967 bytes

->Temporary Internet Files folder emptied: 469262716 bytes

->Java cache emptied: 270974 bytes

->Flash cache emptied: 22822 bytes

User: Public

User: SYSTEM

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 763256 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 80375041 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes

RecycleBin emptied: 1362053 bytes

Total Files Cleaned = 1,034.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 11282010_124741

Files\Folders moved on Reboot...

C:\Users\glasgowr\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

C:\Users\glasgowr\AppData\Local\Temp\~DFD1AACC1758274F54.TMP moved successfully.

C:\Users\glasgowr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ON5BHTMU\index[5].htm moved successfully.

C:\Users\glasgowr\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H5FFUGO4\iframe[2].htm moved successfully.

File\Folder C:\Windows\temp\nsd_tmp_984.tmp not found!

Registry entries deleted on Reboot...

Elise · November 28, 2010

How are things running now?

loki993 · November 28, 2010

How are things running now?

Still getting popup redirects

loki993 · November 28, 2010

Seemed like it was working, but I let it sit and when I came back it was doing to again.

Elise · November 29, 2010

Hi again, lets also check for rootkits here.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
Copy and paste the contents of that log in your next reply.

loki993 · November 29, 2010

MBRCheck, version 1.2.3

Command-line:

Windows Version: Windows 7 Enterprise Edition

Windows Information: (build 7600), 64-bit

Base Board Manufacturer: Hewlett-Packard

BIOS Manufacturer: Hewlett-Packard

System Manufacturer: Hewlett-Packard

System Product Name: HP Compaq 6530b (NA407UC#ABA)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 216):

0x02A54000 \SystemRoot\system32\ntoskrnl.exe

0x02A0B000 \SystemRoot\system32\hal.dll

0x00BA6000 \SystemRoot\system32\kdcom.dll

0x00CD3000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00D17000 \SystemRoot\system32\PSHED.dll

0x00D2B000 \SystemRoot\system32\CLFS.SYS

0x00C00000 \SystemRoot\system32\CI.dll

0x00E52000 \SystemRoot\system32\drivers\Wdf01000.sys

0x00EF6000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x00F05000 \SystemRoot\system32\DRIVERS\ACPI.sys

0x00F5C000 \SystemRoot\system32\DRIVERS\WMILIB.SYS

0x00F65000 \SystemRoot\system32\DRIVERS\msisadrv.sys

0x00F6F000 \SystemRoot\system32\DRIVERS\pci.sys

0x00FA2000 \SystemRoot\system32\DRIVERS\vdrvroot.sys

0x00FAF000 \SystemRoot\System32\drivers\partmgr.sys

0x00FC4000 \SystemRoot\system32\DRIVERS\compbatt.sys

0x00FCD000 \SystemRoot\system32\DRIVERS\BATTC.SYS

0x00FD9000 \SystemRoot\system32\DRIVERS\volmgr.sys

0x00D89000 \SystemRoot\System32\drivers\volmgrx.sys

0x00E00000 \SystemRoot\System32\drivers\mountmgr.sys

0x010CF000 \SystemRoot\system32\DRIVERS\iaStor.sys

0x011EB000 \SystemRoot\system32\DRIVERS\amdxata.sys

0x01000000 \SystemRoot\system32\drivers\fltmgr.sys

0x0104C000 \SystemRoot\system32\drivers\fileinfo.sys

0x0124E000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01060000 \SystemRoot\System32\Drivers\msrpc.sys

0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys

0x01485000 \SystemRoot\System32\Drivers\cng.sys

0x014F8000 \SystemRoot\system32\Drivers\FirePM.sys

0x01524000 \SystemRoot\System32\drivers\pcw.sys

0x01535000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x01672000 \SystemRoot\system32\drivers\ndis.sys

0x01764000 \SystemRoot\system32\drivers\NETIO.SYS

0x017C4000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x01803000 \SystemRoot\System32\drivers\tcpip.sys

0x01600000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x0164A000 \SystemRoot\system32\DRIVERS\vmstorfl.sys

0x0153F000 \SystemRoot\system32\DRIVERS\volsnap.sys

0x0165A000 \SystemRoot\System32\Drivers\spldr.sys

0x0158B000 \SystemRoot\System32\drivers\rdyboost.sys

0x015C5000 \SystemRoot\System32\Drivers\mup.sys

0x01400000 \SystemRoot\system32\drivers\mfehidk.sys

0x01662000 \SystemRoot\System32\drivers\hwpolicy.sys

0x017EF000 \SystemRoot\system32\DRIVERS\hpdskflt.sys

0x01A2E000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x01A68000 \SystemRoot\system32\DRIVERS\disk.sys

0x01A7E000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x01A00000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x01BEB000 \SystemRoot\System32\Drivers\Null.SYS

0x01BF4000 \SystemRoot\System32\Drivers\Beep.SYS

0x01471000 \SystemRoot\System32\drivers\vga.sys

0x015D7000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x0121A000 \SystemRoot\System32\drivers\watchdog.sys

0x0122A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x01233000 \SystemRoot\system32\drivers\rdpencdd.sys

0x0123C000 \SystemRoot\system32\drivers\rdprefmp.sys

0x013F1000 \SystemRoot\System32\Drivers\Msfs.SYS

0x010BE000 \SystemRoot\System32\Drivers\Npfs.SYS

0x00E1A000 \SystemRoot\system32\DRIVERS\tdx.sys

0x00E38000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x00DE5000 \SystemRoot\system32\drivers\mfetdik.sys

0x02E62000 \SystemRoot\System32\DRIVERS\netbt.sys

0x02EA7000 \SystemRoot\system32\drivers\afd.sys

0x02F31000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x02F3A000 \SystemRoot\system32\DRIVERS\pacer.sys

0x02F60000 \SystemRoot\system32\DRIVERS\vwififlt.sys

0x02F76000 \SystemRoot\system32\DRIVERS\vpcnfltr.sys

0x02F8A000 \SystemRoot\system32\DRIVERS\netbios.sys

0x02F99000 \SystemRoot\system32\DRIVERS\serial.sys

0x02FB6000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x02E00000 \SystemRoot\system32\drivers\vpcvmm.sys

0x02FD1000 \SystemRoot\system32\DRIVERS\termdd.sys

0x03C2E000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x03C7F000 \SystemRoot\system32\drivers\nsiproxy.sys

0x03C8B000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x03C96000 \??\C:\Windows\system32\Drivers\FireTDI.sys

0x03CD3000 \SystemRoot\System32\drivers\discache.sys

0x03CE2000 \SystemRoot\system32\drivers\csc.sys

0x03D65000 \SystemRoot\System32\Drivers\dfsc.sys

0x03D83000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x03D94000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x03DBA000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x0402E000 \SystemRoot\system32\DRIVERS\igdkmd64.sys

0x04A23000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x04B17000 \SystemRoot\System32\drivers\dxgmms1.sys

0x04B5D000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x04B6A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x04BC0000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x04BD1000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x0904C000 \SystemRoot\system32\DRIVERS\NETw5s64.sys

0x097AB000 \SystemRoot\system32\DRIVERS\vwifibus.sys

0x097B8000 \SystemRoot\system32\DRIVERS\b57nd60a.sys

0x09000000 \SystemRoot\system32\DRIVERS\1394ohci.sys

0x04A00000 \SystemRoot\system32\drivers\tpm.sys

0x0903E000 \SystemRoot\system32\DRIVERS\serenum.sys

0x04730000 \SystemRoot\system32\DRIVERS\parport.sys

0x0474D000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0x04A0F000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys

0x0476B000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x04CA3000 \SystemRoot\system32\DRIVERS\SynTP.sys

0x04DFA000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x04C00000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x04C0F000 \SystemRoot\system32\DRIVERS\Accelerometer.sys

0x04C1C000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0x04C21000 \SystemRoot\system32\DRIVERS\cpqbttn.sys

0x04C24000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x04C3D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x04C46000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0x04C4F000 \SystemRoot\system32\DRIVERS\CompositeBus.sys

0x04C5F000 \SystemRoot\system32\DRIVERS\firehk.sys

0x04C6C000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x0477A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x04C82000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x0479E000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x047CD000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x04000000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x03DD0000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x03C00000 \SystemRoot\system32\DRIVERS\vna.sys

0x04C8E000 \SystemRoot\system32\DRIVERS\rdpbus.sys

0x04C99000 \SystemRoot\system32\DRIVERS\swenum.sys

0x04E39000 \SystemRoot\system32\DRIVERS\ks.sys

0x04E7C000 \SystemRoot\system32\DRIVERS\umbus.sys

0x04E8E000 \SystemRoot\system32\DRIVERS\vpcusb.sys

0x04EAB000 \SystemRoot\system32\DRIVERS\usbrpm.sys

0x04EBA000 \SystemRoot\system32\DRIVERS\vpchbus.sys

0x04EF6000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x04F50000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x04F5E000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x04F73000 \SystemRoot\system32\drivers\ADIHdAud.sys

0x0583E000 \SystemRoot\system32\drivers\portcls.sys

0x0587B000 \SystemRoot\system32\drivers\drmk.sys

0x0589D000 \SystemRoot\system32\drivers\ksthunk.sys

0x058A3000 \SystemRoot\system32\DRIVERS\agrsm64.sys

0x059C5000 \SystemRoot\system32\drivers\modem.sys

0x059D4000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x059E2000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x00030000 \SystemRoot\System32\win32k.sys

0x059EF000 \SystemRoot\System32\drivers\Dxapi.sys

0x05800000 \SystemRoot\System32\Drivers\crashdmp.sys

0x01AAE000 \SystemRoot\System32\Drivers\dump_iaStor.sys

0x0580E000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x00530000 \SystemRoot\System32\TSDDD.dll

0x04E00000 \SystemRoot\System32\Drivers\BTHUSB.sys

0x02253000 \SystemRoot\System32\Drivers\bthport.sys

0x022DF000 \SystemRoot\system32\DRIVERS\rfcomm.sys

0x0230B000 \SystemRoot\system32\DRIVERS\BthEnum.sys

0x0231B000 \SystemRoot\system32\DRIVERS\bthpan.sys

0x00650000 \SystemRoot\System32\cdd.dll

0x00860000 \SystemRoot\System32\ATMFD.DLL

0x0233B000 \SystemRoot\system32\drivers\luafv.sys

0x0235E000 \SystemRoot\system32\drivers\WudfPf.sys

0x0237F000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x02394000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x023E7000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x02200000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x02ACA000 \SystemRoot\system32\drivers\HTTP.sys

0x02B92000 \SystemRoot\system32\DRIVERS\bowser.sys

0x02BB0000 \SystemRoot\System32\drivers\mpsdrv.sys

0x02BC8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x02A00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x02A4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x02A71000 \SystemRoot\system32\drivers\HIPPSK.sys

0x02A7B000 \SystemRoot\system32\drivers\HIPK.sys

0x02A9C000 \SystemRoot\system32\drivers\HIPQK.sys

0x07243000 \SystemRoot\system32\drivers\peauth.sys

0x072E9000 \??\C:\Windows\system32\drivers\firelm01.sys

0x072F1000 \SystemRoot\System32\Drivers\secdrv.SYS

0x072FC000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x07329000 \SystemRoot\System32\drivers\tcpipreg.sys

0x0733B000 \SystemRoot\System32\DRIVERS\srv2.sys

0x07CF6000 \SystemRoot\System32\DRIVERS\srv.sys

0x07DA3000 \SystemRoot\system32\drivers\mfeavfk.sys

0x07DBF000 \SystemRoot\system32\DRIVERS\radiamsi.sys

0x07C71000 \SystemRoot\system32\DRIVERS\asyncmac.sys

0x07C7C000 \SystemRoot\system32\DRIVERS\monitor.sys

0x07D8C000 \SystemRoot\system32\drivers\mfeapfk.sys

0x777B0000 \Windows\System32\ntdll.dll

0x48310000 \Windows\System32\smss.exe

0xFFAD0000 \Windows\System32\apisetschema.dll

0xFF1C0000 \Windows\System32\autochk.exe

0xFF9B0000 \Windows\System32\msctf.dll

0x776B0000 \Windows\System32\user32.dll

0xFEC20000 \Windows\System32\shell32.dll

0xFEC00000 \Windows\System32\imagehlp.dll

0x77980000 \Windows\System32\normaliz.dll

0xFEB80000 \Windows\System32\difxapi.dll

0xFEAE0000 \Windows\System32\clbcatq.dll

0xFEA40000 \Windows\System32\comdlg32.dll

0xFE9C0000 \Windows\System32\shlwapi.dll

0xFE7B0000 \Windows\System32\ole32.dll

0xFE5D0000 \Windows\System32\setupapi.dll

0x77590000 \Windows\System32\kernel32.dll

0xFE5C0000 \Windows\System32\nsi.dll

0xFE550000 \Windows\System32\gdi32.dll

0xFE470000 \Windows\System32\oleaut32.dll

0x77970000 \Windows\System32\psapi.dll

0xFE3A0000 \Windows\System32\usp10.dll

0xFE270000 \Windows\System32\rpcrt4.dll

0xFE0F0000 \Windows\System32\urlmon.dll

0xFDE90000 \Windows\System32\iertutil.dll

0xFDDF0000 \Windows\System32\msvcrt.dll

0xFDDC0000 \Windows\System32\imm32.dll

0xFDCE0000 \Windows\System32\advapi32.dll

0xFDC90000 \Windows\System32\Wldap32.dll

0xFDC40000 \Windows\System32\ws2_32.dll

0xFDC30000 \Windows\System32\lpk.dll

0xFDC10000 \Windows\System32\sechost.dll

0xFDAE0000 \Windows\System32\wininet.dll

0xFDAA0000 \Windows\System32\cfgmgr32.dll

0xFDA00000 \Windows\System32\comctl32.dll

0xFD890000 \Windows\System32\crypt32.dll

0xFD850000 \Windows\System32\wintrust.dll

0xFD7E0000 \Windows\System32\KernelBase.dll

0xFD7C0000 \Windows\System32\devobj.dll

0xFD7B0000 \Windows\System32\msasn1.dll

0x77020000 \Windows\SysWOW64\normaliz.dll

Processes (total 94):

0 System Idle Process

4 System

280 C:\Windows\System32\smss.exe

400 csrss.exe

452 C:\Windows\System32\wininit.exe

460 csrss.exe

520 C:\Windows\System32\services.exe

544 C:\Windows\System32\lsass.exe

552 C:\Windows\System32\lsm.exe

672 C:\Windows\System32\svchost.exe

764 C:\Windows\System32\svchost.exe

800 C:\Windows\System32\winlogon.exe

872 C:\Windows\System32\svchost.exe

980 C:\Windows\System32\svchost.exe

268 C:\Windows\System32\svchost.exe

808 C:\Windows\System32\svchost.exe

1040 C:\Windows\System32\hpservice.exe

1120 C:\Windows\System32\svchost.exe

1264 C:\Windows\System32\spoolsv.exe

1300 C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe

1344 C:\Windows\System32\svchost.exe

1380 C:\Program Files\ActivIdentity\ActivClient\acevents.exe

1484 C:\Windows\System32\AEADISRV.EXE

1536 C:\Program Files (x86)\CheckPoint\SSL Network Extender\slimsvc.exe

1588 C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe

1636 C:\Windows\System32\svchost.exe

1684 C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe

1840 C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe

1876 C:\Windows\System32\inetsrv\inetinfo.exe

1112 C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe

1952 C:\Windows\System32\taskhost.exe

1584 C:\Windows\System32\dwm.exe

2096 C:\Windows\explorer.exe

2232 C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe

2272 C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe

2316 C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe

2412 C:\Program Files\ActivIdentity\ActivClient\acevents.exe

2420 C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

2432 C:\Windows\System32\igfxtray.exe

2460 C:\Windows\System32\hkcmd.exe

2500 C:\Windows\System32\igfxpers.exe

2516 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

2588 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

2648 C:\Program Files\Windows Sidebar\sidebar.exe

2664 C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

2744 C:\Windows\System32\igfxsrvc.exe

2772 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

2344 C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

3012 C:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe

2984 C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe

996 naPrdMgr.exe

3080 C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe

3120 C:\Windows\System32\mfevtps.exe

3328 C:\Program Files (x86)\IBM\Lotus\Notes\ntmulti.exe

3468 C:\Windows\System32\svchost.exe

3568 C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

3656 C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

3732 C:\Program Files (x86)\RA2HP\HPRAService.exe

3740 C:\Program Files (x86)\Hewlett-Packard\PC COE\Ida.exe

3824 C:\Program Files (x86)\McAfee\Common Framework\McTray.exe

3940 C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

3980 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

4000 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe

4052 C:\Program Files (x86)\level0\bin\sprtcmd.exe

3160 C:\PROGRA~2\HEWLET~1\PCCOE3~1\OVCMS~1\Radalert.exe

3412 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe

2456 C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe

3988 C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

3284 C:\Program Files (x86)\level0\bin\sprtsvc.exe

3168 C:\Program Files (x86)\level0\bin\tgsrvc.exe

4212 C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

4300 mfeann.exe

4320 C:\Windows\System32\conhost.exe

4488 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe

5004 unsecapp.exe

4344 WmiPrvSE.exe

4484 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

4536 C:\Windows\System32\SearchIndexer.exe

4776 C:\Windows\System32\svchost.exe

5452 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

5948 C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe

3316 C:\Program Files (x86)\Internet Explorer\iexplore.exe

6032 C:\Program Files (x86)\Internet Explorer\iexplore.exe

916 C:\Program Files (x86)\Internet Explorer\iexplore.exe

4524 C:\Windows\System32\taskeng.exe

3752 C:\Windows\System32\audiodg.exe

3352 C:\Windows\System32\SearchProtocolHost.exe

5596 C:\Windows\System32\SearchFilterHost.exe

596 C:\Windows\System32\VSSVC.exe

2800 C:\Windows\System32\svchost.exe

5888 C:\Users\glasgowr\Desktop\MBRCheck.exe

1624 C:\Windows\System32\conhost.exe

2220 taskhost.exe

5380 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543216L9A300, Rev: FB2OC40F

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 MBR Code Faked!

SHA1: 1BB72AA843C54C64E74C9F6C9BD22FA2AFA08966

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice:

Done!

Elise · November 29, 2010

Looks like we have a nasty rootkit on our hands. Please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

loki993 · November 30, 2010

Here you go:

2010/11/30 00:33:05.0352 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56

2010/11/30 00:33:05.0352 ================================================================================

2010/11/30 00:33:05.0352 SystemInfo:

2010/11/30 00:33:05.0352

2010/11/30 00:33:05.0352 OS Version: 6.1.7600 ServicePack: 0.0

2010/11/30 00:33:05.0352 Product type: Workstation

2010/11/30 00:33:05.0352 ComputerName: RGLASGOW1

2010/11/30 00:33:05.0352 UserName: glasgowr

2010/11/30 00:33:05.0352 Windows directory: C:\Windows

2010/11/30 00:33:05.0352 System windows directory: C:\Windows

2010/11/30 00:33:05.0352 Running under WOW64

2010/11/30 00:33:05.0352 Processor architecture: Intel x64

2010/11/30 00:33:05.0352 Number of processors: 2

2010/11/30 00:33:05.0352 Page size: 0x1000

2010/11/30 00:33:05.0352 Boot type: Normal boot

2010/11/30 00:33:05.0352 ================================================================================

2010/11/30 00:33:05.0352 Utility is running under WOW64

2010/11/30 00:33:05.0696 Initialize success

2010/11/30 00:33:10.0563 ================================================================================

2010/11/30 00:33:10.0563 Scan started

2010/11/30 00:33:10.0563 Mode: Manual;

2010/11/30 00:33:10.0563 ================================================================================

2010/11/30 00:33:13.0059 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys

2010/11/30 00:33:13.0262 Accelerometer (3e2427d4966c7606097341e55ab4e105) C:\Windows\system32\DRIVERS\Accelerometer.sys

2010/11/30 00:33:13.0496 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys

2010/11/30 00:33:13.0542 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys

2010/11/30 00:33:13.0683 ADIHdAudAddService (560649e6a9c11f6124f97310ef387c45) C:\Windows\system32\drivers\ADIHdAud.sys

2010/11/30 00:33:13.0808 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys

2010/11/30 00:33:13.0948 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys

2010/11/30 00:33:14.0042 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys

2010/11/30 00:33:14.0151 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys

2010/11/30 00:33:14.0338 AgereSoftModem (98022774d9930ecbb292e70db7601df6) C:\Windows\system32\DRIVERS\agrsm64.sys

2010/11/30 00:33:14.0478 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys

2010/11/30 00:33:14.0556 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys

2010/11/30 00:33:14.0588 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys

2010/11/30 00:33:14.0603 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys

2010/11/30 00:33:14.0634 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys

2010/11/30 00:33:14.0666 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys

2010/11/30 00:33:14.0806 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys

2010/11/30 00:33:14.0853 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys

2010/11/30 00:33:14.0931 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys

2010/11/30 00:33:15.0102 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys

2010/11/30 00:33:15.0134 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys

2010/11/30 00:33:15.0180 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys

2010/11/30 00:33:15.0321 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys

2010/11/30 00:33:15.0492 atikmdag (3efd964d52221360af0673cd61c2f4f5) C:\Windows\system32\DRIVERS\atikmdag.sys

2010/11/30 00:33:15.0758 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys

2010/11/30 00:33:15.0836 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys

2010/11/30 00:33:15.0976 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys

2010/11/30 00:33:16.0070 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys

2010/11/30 00:33:16.0179 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys

2010/11/30 00:33:16.0226 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys

2010/11/30 00:33:16.0241 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys

2010/11/30 00:33:16.0397 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys

2010/11/30 00:33:16.0428 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys

2010/11/30 00:33:16.0460 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys

2010/11/30 00:33:16.0475 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys

2010/11/30 00:33:16.0538 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\DRIVERS\BthEnum.sys

2010/11/30 00:33:16.0647 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys

2010/11/30 00:33:16.0709 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys

2010/11/30 00:33:16.0865 BTHPORT (a51fa9d0e85d5adabef72e67f386309c) C:\Windows\system32\Drivers\BTHport.sys

2010/11/30 00:33:16.0943 BTHUSB (f740b9a16b2c06700f2130e19986bf3b) C:\Windows\system32\Drivers\BTHUSB.sys

2010/11/30 00:33:17.0052 btwavdt (82dc8b7c626e526681c1bebed2bc3ff9) C:\Windows\system32\DRIVERS\btwavdt.sys

2010/11/30 00:33:17.0130 btwrchid (28e105ad3b79f440bf94780f507bf66a) C:\Windows\system32\DRIVERS\btwrchid.sys

2010/11/30 00:33:17.0208 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys

2010/11/30 00:33:17.0333 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys

2010/11/30 00:33:17.0411 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys

2010/11/30 00:33:17.0489 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys

2010/11/30 00:33:17.0598 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys

2010/11/30 00:33:17.0676 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys

2010/11/30 00:33:17.0754 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys

2010/11/30 00:33:17.0879 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys

2010/11/30 00:33:17.0957 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys

2010/11/30 00:33:18.0098 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys

2010/11/30 00:33:18.0222 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys

2010/11/30 00:33:18.0394 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys

2010/11/30 00:33:18.0456 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys

2010/11/30 00:33:18.0581 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys

2010/11/30 00:33:18.0675 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys

2010/11/30 00:33:18.0815 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys

2010/11/30 00:33:19.0065 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys

2010/11/30 00:33:19.0283 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys

2010/11/30 00:33:19.0377 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys

2010/11/30 00:33:19.0517 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys

2010/11/30 00:33:19.0548 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys

2010/11/30 00:33:19.0595 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys

2010/11/30 00:33:19.0704 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys

2010/11/30 00:33:19.0736 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys

2010/11/30 00:33:19.0798 Firehk (04eb7c3063834c50fef94ae77b05cbf9) C:\Windows\system32\DRIVERS\firehk.sys

2010/11/30 00:33:19.0860 FirehkMP (04eb7c3063834c50fef94ae77b05cbf9) C:\Windows\system32\DRIVERS\firehk.sys

2010/11/30 00:33:19.0954 firelm01 (91c7c2c38d51a1ab25f909189a2c2db9) C:\Windows\system32\drivers\firelm01.sys

2010/11/30 00:33:20.0094 FirePM (7a5af3ee86bbb96a5b2c96facbfe124f) C:\Windows\system32\Drivers\FirePM.sys

2010/11/30 00:33:20.0219 FireTDI (9d0071cb93c9cebfb927f443c75e3251) C:\Windows\system32\Drivers\FireTDI.sys

2010/11/30 00:33:20.0297 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys

2010/11/30 00:33:20.0328 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys

2010/11/30 00:33:20.0453 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys

2010/11/30 00:33:20.0516 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys

2010/11/30 00:33:20.0609 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys

2010/11/30 00:33:20.0734 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys

2010/11/30 00:33:20.0859 HBtnKey (93c3c66d38b0bc08a04f0b28055bc9ac) C:\Windows\system32\DRIVERS\cpqbttn.sys

2010/11/30 00:33:20.0999 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys

2010/11/30 00:33:21.0093 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys

2010/11/30 00:33:21.0108 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys

2010/11/30 00:33:21.0140 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys

2010/11/30 00:33:21.0155 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys

2010/11/30 00:33:21.0249 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys

2010/11/30 00:33:21.0327 HIPK (a5fa050ff3a5f3630c2598d32e339def) C:\Windows\system32\drivers\HIPK.sys

2010/11/30 00:33:21.0483 HIPPSK (e8eb147dc272dba6f0eba31d17e752c6) C:\Windows\system32\drivers\HIPPSK.sys

2010/11/30 00:33:21.0576 HIPQK (1f95e665632a39ac57e1c605e49c5816) C:\Windows\system32\drivers\HIPQK.sys

2010/11/30 00:33:21.0670 hpdskflt (ccbe758967cc0f53f5ba3b271653c4e6) C:\Windows\system32\DRIVERS\hpdskflt.sys

2010/11/30 00:33:21.0732 HpqKbFiltr (9af482d058be59cc28bce52e7c4b747c) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys

2010/11/30 00:33:21.0857 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys

2010/11/30 00:33:21.0920 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys

2010/11/30 00:33:22.0029 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys

2010/11/30 00:33:22.0076 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys

2010/11/30 00:33:22.0216 iaStor (bbb3b6df1abb0fe35802ede85cc1c011) C:\Windows\system32\DRIVERS\iaStor.sys

2010/11/30 00:33:22.0294 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys

2010/11/30 00:33:22.0606 igfx (dfeaf0a1d98d397035012c8e28d1520f) C:\Windows\system32\DRIVERS\igdkmd64.sys

2010/11/30 00:33:22.0902 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys

2010/11/30 00:33:23.0012 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys

2010/11/30 00:33:23.0105 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys

2010/11/30 00:33:23.0183 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2010/11/30 00:33:23.0230 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys

2010/11/30 00:33:23.0324 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys

2010/11/30 00:33:23.0402 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys

2010/11/30 00:33:23.0464 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys

2010/11/30 00:33:23.0542 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys

2010/11/30 00:33:23.0620 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys

2010/11/30 00:33:23.0698 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys

2010/11/30 00:33:23.0760 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys

2010/11/30 00:33:23.0807 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys

2010/11/30 00:33:23.0885 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys

2010/11/30 00:33:24.0026 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys

2010/11/30 00:33:24.0104 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys

2010/11/30 00:33:24.0119 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys

2010/11/30 00:33:24.0135 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys

2010/11/30 00:33:24.0150 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys

2010/11/30 00:33:24.0228 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys

2010/11/30 00:33:24.0369 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys

2010/11/30 00:33:24.0462 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys

2010/11/30 00:33:24.0525 mfeapfk (3af08b11c2a70d5ca4288b85d4e9fb31) C:\Windows\system32\drivers\mfeapfk.sys

2010/11/30 00:33:24.0634 mfeavfk (dd17753ad5fa52f3bcd3b512934690c4) C:\Windows\system32\drivers\mfeavfk.sys

2010/11/30 00:33:24.0743 mfehidk (32fd587de00ed1686aa145e030f462ac) C:\Windows\system32\drivers\mfehidk.sys

2010/11/30 00:33:24.0884 mferkdet (158c24a8ed5f2cab71a86fd775bc1727) C:\Windows\system32\drivers\mferkdet.sys

2010/11/30 00:33:24.0993 mfetdik (a1c174f82b69ee811b0a86dd100e3b3b) C:\Windows\system32\drivers\mfetdik.sys

2010/11/30 00:33:25.0149 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys

2010/11/30 00:33:25.0196 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys

2010/11/30 00:33:25.0227 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys

2010/11/30 00:33:25.0274 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys

2010/11/30 00:33:25.0367 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys

2010/11/30 00:33:25.0398 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys

2010/11/30 00:33:25.0430 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys

2010/11/30 00:33:25.0476 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys

2010/11/30 00:33:25.0570 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys

2010/11/30 00:33:25.0617 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2010/11/30 00:33:25.0648 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2010/11/30 00:33:25.0664 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys

2010/11/30 00:33:25.0773 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys

2010/11/30 00:33:25.0820 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys

2010/11/30 00:33:25.0835 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys

2010/11/30 00:33:25.0851 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys

2010/11/30 00:33:25.0991 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys

2010/11/30 00:33:26.0022 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys

2010/11/30 00:33:26.0038 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys

2010/11/30 00:33:26.0069 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys

2010/11/30 00:33:26.0100 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys

2010/11/30 00:33:26.0132 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys

2010/11/30 00:33:26.0147 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys

2010/11/30 00:33:26.0163 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys

2010/11/30 00:33:26.0303 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys

2010/11/30 00:33:26.0397 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys

2010/11/30 00:33:26.0537 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys

2010/11/30 00:33:26.0584 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys

2010/11/30 00:33:26.0678 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys

2010/11/30 00:33:26.0787 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys

2010/11/30 00:33:26.0849 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys

2010/11/30 00:33:26.0880 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys

2010/11/30 00:33:26.0990 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys

2010/11/30 00:33:27.0286 NETw5s64 (39ede676d17f37af4573c2b33ec28aca) C:\Windows\system32\DRIVERS\NETw5s64.sys

2010/11/30 00:33:27.0692 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys

2010/11/30 00:33:27.0848 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys

2010/11/30 00:33:27.0957 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys

2010/11/30 00:33:28.0050 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys

2010/11/30 00:33:28.0160 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys

2010/11/30 00:33:28.0253 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys

2010/11/30 00:33:28.0316 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys

2010/11/30 00:33:28.0440 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys

2010/11/30 00:33:28.0487 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys

2010/11/30 00:33:28.0550 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys

2010/11/30 00:33:28.0643 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys

2010/11/30 00:33:28.0706 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys

2010/11/30 00:33:28.0737 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys

2010/11/30 00:33:28.0752 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys

2010/11/30 00:33:28.0784 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys

2010/11/30 00:33:28.0893 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys

2010/11/30 00:33:29.0080 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys

2010/11/30 00:33:29.0127 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys

2010/11/30 00:33:29.0189 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys

2010/11/30 00:33:29.0361 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys

2010/11/30 00:33:29.0501 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys

2010/11/30 00:33:29.0548 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys

2010/11/30 00:33:29.0610 RadiaMsi (f3ba2de90d279d02dc01b954d5a1cb56) C:\Windows\system32\DRIVERS\radiamsi.sys

2010/11/30 00:33:29.0735 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys

2010/11/30 00:33:29.0798 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys

2010/11/30 00:33:29.0844 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys

2010/11/30 00:33:29.0969 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys

2010/11/30 00:33:30.0032 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys

2010/11/30 00:33:30.0078 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys

2010/11/30 00:33:30.0110 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys

2010/11/30 00:33:30.0141 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys

2010/11/30 00:33:30.0250 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys

2010/11/30 00:33:30.0281 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys

2010/11/30 00:33:30.0312 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys

2010/11/30 00:33:30.0359 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys

2010/11/30 00:33:30.0515 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys

2010/11/30 00:33:30.0624 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys

2010/11/30 00:33:30.0718 rimmptsk (6faf5b04bedc66d300d9d233b2d222f0) C:\Windows\system32\DRIVERS\rimmpx64.sys

2010/11/30 00:33:30.0812 rimspci (e20b1907fc72a3664ece21e3c20fc63d) C:\Windows\system32\DRIVERS\rimspe64.sys

2010/11/30 00:33:30.0890 rimsptsk (67f50c31713106fd1b0f286f86aa2b2e) C:\Windows\system32\DRIVERS\rimspx64.sys

2010/11/30 00:33:31.0030 risdpcie (a6da2b0c8f5bb3f9f5423cff8d6a02d9) C:\Windows\system32\DRIVERS\risdpe64.sys

2010/11/30 00:33:31.0108 rismxdp (4d7ef3d46346ec4c58784db964b365de) C:\Windows\system32\DRIVERS\rixdpx64.sys

2010/11/30 00:33:31.0248 rixdpcie (6a1cd4674505e6791390a1ab71da1fbe) C:\Windows\system32\DRIVERS\rixdpe64.sys

2010/11/30 00:33:31.0358 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys

2010/11/30 00:33:31.0389 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys

2010/11/30 00:33:31.0482 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys

2010/11/30 00:33:31.0545 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys

2010/11/30 00:33:31.0592 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

2010/11/30 00:33:31.0701 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys

2010/11/30 00:33:31.0763 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys

2010/11/30 00:33:31.0794 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys

2010/11/30 00:33:31.0872 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys

2010/11/30 00:33:31.0966 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys

2010/11/30 00:33:32.0028 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys

2010/11/30 00:33:32.0106 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys

2010/11/30 00:33:32.0231 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys

2010/11/30 00:33:32.0309 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys

2010/11/30 00:33:32.0356 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys

2010/11/30 00:33:32.0512 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys

2010/11/30 00:33:32.0668 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\Windows\system32\DRIVERS\srv.sys

2010/11/30 00:33:32.0808 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\Windows\system32\DRIVERS\srv2.sys

2010/11/30 00:33:32.0886 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\Windows\system32\DRIVERS\srvnet.sys

2010/11/30 00:33:32.0964 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys

2010/11/30 00:33:33.0074 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys

2010/11/30 00:33:33.0136 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys

2010/11/30 00:33:33.0167 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys

2010/11/30 00:33:33.0354 SynTP (d268d2a0db2a2bbe963e688d0b039267) C:\Windows\system32\DRIVERS\SynTP.sys

2010/11/30 00:33:33.0588 Tcpip (542c6767c68c9d6aaaca59436b0d15c2) C:\Windows\system32\drivers\tcpip.sys

2010/11/30 00:33:33.0791 TCPIP6 (542c6767c68c9d6aaaca59436b0d15c2) C:\Windows\system32\DRIVERS\tcpip.sys

2010/11/30 00:33:33.0916 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys

2010/11/30 00:33:33.0978 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys

2010/11/30 00:33:33.0994 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys

2010/11/30 00:33:34.0025 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys

2010/11/30 00:33:34.0056 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys

2010/11/30 00:33:34.0197 TPM (dbcc20c02e8a3e43b03c304a4e40a84f) C:\Windows\system32\drivers\tpm.sys

2010/11/30 00:33:34.0275 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys

2010/11/30 00:33:34.0322 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys

2010/11/30 00:33:34.0353 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys

2010/11/30 00:33:34.0462 udfs (31ba4a33afab6a69ea092b18017f737f) C:\Windows\system32\DRIVERS\udfs.sys

2010/11/30 00:33:34.0587 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys

2010/11/30 00:33:34.0696 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys

2010/11/30 00:33:34.0758 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys

2010/11/30 00:33:34.0821 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys

2010/11/30 00:33:34.0868 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys

2010/11/30 00:33:34.0961 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys

2010/11/30 00:33:35.0008 usbhub (7cc1c95896d60e868aa6dd2dd2f97ead) C:\Windows\system32\DRIVERS\usbhub.sys

2010/11/30 00:33:35.0070 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys

2010/11/30 00:33:35.0117 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys

2010/11/30 00:33:35.0211 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2010/11/30 00:33:35.0258 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys

2010/11/30 00:33:35.0320 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys

2010/11/30 00:33:35.0398 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys

2010/11/30 00:33:35.0445 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys

2010/11/30 00:33:35.0476 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys

2010/11/30 00:33:35.0523 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys

2010/11/30 00:33:35.0570 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys

2010/11/30 00:33:35.0663 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys

2010/11/30 00:33:35.0757 VNA (a96afa32f73c065b9ae9d1554cdd00fc) C:\Windows\system32\DRIVERS\vna.sys

2010/11/30 00:33:35.0913 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys

2010/11/30 00:33:35.0960 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys

2010/11/30 00:33:35.0991 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys

2010/11/30 00:33:36.0053 vpcbus (abd9b4a7e2d0ae51a3b8df1af3152d61) C:\Windows\system32\DRIVERS\vpchbus.sys

2010/11/30 00:33:36.0225 vpcnfltr (8acda395841538ce9713a67fe8b2a3eb) C:\Windows\system32\DRIVERS\vpcnfltr.sys

2010/11/30 00:33:36.0365 vpcusb (31924e31bc315773e6d149b157db46d5) C:\Windows\system32\DRIVERS\vpcusb.sys

2010/11/30 00:33:36.0552 vpcvmm (510d250a08c09850f5c78ca2011b3b62) C:\Windows\system32\drivers\vpcvmm.sys

2010/11/30 00:33:36.0630 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys

2010/11/30 00:33:36.0677 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys

2010/11/30 00:33:36.0786 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys

2010/11/30 00:33:36.0864 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys

2010/11/30 00:33:36.0911 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

2010/11/30 00:33:36.0927 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

2010/11/30 00:33:37.0067 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys

2010/11/30 00:33:37.0130 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys

2010/11/30 00:33:37.0286 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys

2010/11/30 00:33:37.0332 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys

2010/11/30 00:33:37.0426 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys

2010/11/30 00:33:37.0566 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys

2010/11/30 00:33:37.0644 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys

2010/11/30 00:33:37.0785 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys

2010/11/30 00:33:37.0878 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/30 00:33:37.0878 ================================================================================

2010/11/30 00:33:37.0878 Scan finished

2010/11/30 00:33:37.0878 ================================================================================

2010/11/30 00:33:37.0894 Detected object count: 1

2010/11/30 00:36:07.0217 \HardDisk0 - will be cured after reboot

2010/11/30 00:36:07.0264 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/30 00:36:19.0354 Deinitialize success

Elise · November 30, 2010

Please let me know how things are running now.

loki993 · December 1, 2010

Didn't seem to give me any trouble today, definitely no pop ups or redirects.

Elise · December 1, 2010

I'm glad to hear that.

Please let me know if your McAfee antispyware also includes the Antivirus product.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  Note - when ESET doesn't find any threats, no report will be created.
12. Push the button.
13. Push

loki993 · December 5, 2010

Sorry, been a busy week. running the scan now.

Elise · December 5, 2010

No problem, I'll wait for the results.

loki993 · December 6, 2010

No threats found

Elise · December 6, 2010

That means your computer is clean.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

Delete the tools used during the disinfection:
- Rerun OTL and click the Cleanup button. Allow a reboot. This will remove all tools and logs we used.

Hiding Hidden Files

Please set your system to hide all hidden files.

Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Please read these advices, in order to prevent reinfecting your PC:

Install and update the following programs regularly:
- an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
  A comprehensive tutorial and a list of possible firewalls can be found here.
- an AntiVirus Software
  It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
- an Anti-Spyware program
  Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
  SUPERAntiSpyware is another good scanner with high detection and removal rates.
  Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
- Spyware Blaster
  A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
- MVPs hosts file
  A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Miekies' prevention suggestions
So How did I get infected?
Microsoft - 'Security at home'
Calendar of Updates: See which updates have been released.
How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
osalt: Find (free) open source alternatives to known commercial software.

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

LDTate · December 30, 2010

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Browser hijack, google redirect

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information