Jump to content

Proxy settings repeatedly changed


ChemMan

Recommended Posts

I have been having a problem for the past two days. Every so often, seemingly at random as it does not happen immediately after startup or upon opening any program, the proxy settings on Google Chrome are checked so that I can't access the internet. When this happens, a scan with MBAM shows a Hijack.Shell key in the registry which it removes, but nothing else. Ad-Aware does not find any infection, nor does my Antivirus software (Symantec Endpoint, provided by my school). Can anyone tell me what is causing this and how to fix it?

Malwarebyte's Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5214

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/29/2010 8:27:02 PM

mbam-log-2010-11-29 (20-27-02).txt

Scan type: Quick scan

Objects scanned: 171176

Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\leonam2\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS Log:

DDS (Ver_10-11-27.01) - NTFSx86

Run by leonam2 at 21:06:47.67 on Mon 11/29/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2014.792 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k WbioSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Windows\system32\AEADISRV.EXE

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\System32\TpShocks.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe

C:\Users\leonam2\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Users\leonam2\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Lenovo\System Update\SUService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Users\leonam2\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:50370

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll

uRun: [Google Update] "c:\users\leonam2\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [<NO NAME>]

mRun: [TpShocks] TpShocks.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [iaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{08b785c1-3893-4154-b53b-f5d341d0aaaa}\Icon3E5562ED7.ico

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: DisableCAD = 1 (0x1)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AfsLogon - c:\program files\openafs\client\program\afslogon.dll

Notify: igfxcui - igfxdev.dll

Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 10.254.254.253 AFS

================= FIREFOX ===================

FF - ProfilePath - c:\users\leonam2\appdata\roaming\mozilla\firefox\profiles\80c1h1vm.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

FF - component: c:\users\leonam2\appdata\roaming\mozilla\firefox\profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\program files\3dvia\3dviastudioplayer\bin\win32_dynamic\release\npvtmp3dlifeplayer.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll

FF - plugin: c:\users\leonam2\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\leonam2\appdata\roaming\mozilla\firefox\profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\users\leonam2\appdata\roaming\mozilla\firefox\profiles\80c1h1vm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2009-10-28 232472]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-6 64288]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-12 13480]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-10-20 172032]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]

R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-7-19 4446752]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-24 1153368]

R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2010-1-27 5120]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]

R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2009-7-15 62320]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-7-3 45424]

S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]

S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-11-20 401920]

S3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2009-10-20 5073920]

S3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2009-10-20 106496]

S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\atswpwdf.sys [2009-9-1 485376]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-8-22 225408]

S3 intelkmd;intelkmd;c:\windows\system32\drivers\igdpmd32.sys [2009-10-20 5924864]

S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-10-20 75040]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]

S3 spect04;Excalibur Spectrometer;c:\windows\system32\drivers\spect04.sys [2010-7-23 13909]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-4 1343400]

=============== Created Last 30 ================

2010-11-29 17:41:44 -------- d-----w- c:\users\leonam2\appdata\local\Sunbelt Software

2010-11-29 17:41:00 -------- dc-h--w- c:\progra~2\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-26 20:07:55 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{40e36f7a-1e6c-4542-aa19-0fdec3467f9b}\mpengine.dll

2010-11-26 04:25:40 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-26 04:25:40 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2010-11-25 01:38:45 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

2010-11-23 18:03:44 503808 ----a-w- c:\windows\system32\AudioGenie2.ocx

2010-11-23 18:03:44 -------- d-----w- c:\program files\Sanse Mp3 Art Sizer

2010-11-23 17:34:22 -------- d-----w- c:\users\leonam2\appdata\local\Apple Computer

2010-11-21 22:46:08 -------- d-----w- c:\users\leonam2\appdata\local\The Witcher

2010-11-21 22:11:09 -------- d-----w- c:\program files\The Witcher Enhanced Edition

2010-11-20 21:38:57 -------- d-----w- c:\progra~2\Amazon

2010-11-20 21:38:46 -------- d-----w- c:\program files\Amazon

==================== Find3M ====================

2010-11-15 02:43:37 204 ----a-w- c:\windows\system32\okc14yq.dll

2010-11-15 02:43:37 100 ----a-w- c:\windows\system32\prsgrc.dll

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-09-23 07:46:08 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys iaNvStor.sys

c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver

c:\windows\system32\drivers\iaNvStor.sys Intel Corporation Intel® Turbo Memory Driver

1 ntkrnlpa!IofCallDriver[0x82E53458] -> \Device\Harddisk0\DR0[0x87973030]

3 CLASSPNP[0x893AE59E] -> ntkrnlpa!IofCallDriver[0x82E53458] -> [0x85B7E678]

5 ACPI[0x88C563B2] -> ntkrnlpa!IofCallDriver[0x82E53458] -> \Device\Ide\IAAStorageDevice-0[0x85779028]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user != kernel MBR !!!

============= FINISH: 21:08:59.91 ===============

Attach.zip

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Thanks for helping me. My web browser proxy settings are continually being enabled at seemingly random times. For example: yesterday afternoon I was surfing the web and working. I left my browser open while I did another task and when I returned, the proxy settings were enabled and I could not access the internet. After changing them back, a scan with MBAM found a Hijack.Shell entry in the registry and nothing else. this is in the the log in the OP. After removing it and rebooting, another MBAM scan shows nothing, nor does my antivirus (Symantec Endpoint) or Ad-Aware. I will use my computer (a thinkpad T61 laptop) for hours without a problem when inexplicably the proxy settings are enabled again. Don't know what's causing it, maybe some malware that's not in MBAM's definitions? Anyhow, logs are pasted in below:

OTL Log:

OTL logfile created on: 11/30/2010 9:59:34 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\leonam2\Desktop

Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 41.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 29.05 Gb Free Space | 19.49% Space Free | Partition Type: NTFS

Computer Name: LEONAM2T61 | User Name: leonam2 | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/30 09:57:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\leonam2\Desktop\OTL.exe

PRC - [2010/11/29 12:43:51 | 000,928,496 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/11/29 12:43:50 | 001,375,992 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/11/01 16:36:03 | 000,974,904 | ---- | M] (Google Inc.) -- C:\Users\leonam2\AppData\Local\Google\Chrome\Application\chrome.exe

PRC - [2010/11/01 11:27:13 | 012,487,856 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe

PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2009/10/19 16:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe

PRC - [2009/09/17 17:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

PRC - [2009/09/17 17:38:02 | 001,864,888 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

PRC - [2009/09/17 17:27:26 | 001,455,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

PRC - [2009/09/10 10:37:10 | 000,132,464 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe

PRC - [2009/08/24 12:43:54 | 000,038,176 | ---- | M] (Lenovo) -- C:\Windows\System32\ibmpmsvc.exe

PRC - [2009/08/24 12:00:30 | 000,352,256 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe

PRC - [2009/08/24 12:00:02 | 000,172,032 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe

PRC - [2009/08/23 21:41:16 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

PRC - [2009/08/20 08:38:30 | 000,062,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe

PRC - [2009/08/17 13:29:26 | 000,057,096 | ---- | M] (UPEK Inc.) -- C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe

PRC - [2009/07/19 22:55:50 | 004,446,752 | ---- | M] () -- C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe

PRC - [2009/07/15 09:18:02 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe

PRC - [2009/07/14 14:15:36 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe

PRC - [2009/07/13 20:14:24 | 000,157,184 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\MpCmdRun.exe

PRC - [2009/07/08 19:14:40 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2009/07/08 19:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

PRC - [2009/07/08 19:12:06 | 000,337,184 | ---- | M] (Lenovo.) -- C:\Windows\System32\TpShocks.exe

PRC - [2009/06/04 19:03:32 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2009/06/04 19:03:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

PRC - [2009/05/18 16:28:04 | 001,314,816 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

PRC - [2009/03/13 16:32:48 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

PRC - [2009/02/02 17:04:10 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

PRC - [2008/07/15 16:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEADISRV.EXE

PRC - [2008/06/11 21:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

PRC - [2007/01/04 18:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

========== Modules (SafeList) ==========

MOD - [2010/11/30 09:57:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\leonam2\Desktop\OTL.exe

MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll

MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll

MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll

MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll

MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll

MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll

MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll

MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll

MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll

MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe -- (SessionLauncher)

SRV - [2010/11/29 12:43:50 | 001,375,992 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2010/11/27 14:24:59 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/03/04 03:00:42 | 001,343,400 | ---- | M] (Microsoft Corporation) [unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)

SRV - [2009/10/23 12:31:44 | 000,401,920 | ---- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)

SRV - [2009/10/21 15:06:58 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/10/19 16:18:36 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)

SRV - [2009/09/30 17:48:26 | 000,644,456 | ---- | M] (OpenAFS Project) [On_Demand | Stopped] -- C:\Program Files\OpenAFS\Client\Program\afsd_service.exe -- (TransarcAFSDaemon)

SRV - [2009/09/17 17:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2009/09/17 17:38:02 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)

SRV - [2009/09/17 16:21:10 | 000,341,320 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)

SRV - [2009/09/09 02:05:00 | 000,075,040 | ---- | M] (Lenovo) [On_Demand | Stopped] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE -- (Power Manager DBC Service)

SRV - [2009/08/24 12:43:54 | 000,038,176 | ---- | M] (Lenovo) [Auto | Running] -- C:\Windows\System32\ibmpmsvc.exe -- (IBMPMSVC)

SRV - [2009/08/24 12:00:02 | 000,172,032 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)

SRV - [2009/08/23 21:41:16 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

SRV - [2009/07/19 22:55:50 | 004,446,752 | ---- | M] () [Auto | Running] -- C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe -- (NVIDIA Performance Driver Service)

SRV - [2009/07/15 09:18:02 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)

SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)

SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)

SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)

SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)

SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)

SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)

SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)

SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)

SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)

SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)

SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)

SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)

SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)

SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)

SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)

SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)

SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)

SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)

SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)

SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)

SRV - [2009/07/13 11:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)

SRV - [2009/07/08 19:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)

SRV - [2009/07/08 19:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)

SRV - [2009/07/03 17:47:10 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)

SRV - [2009/06/29 12:51:00 | 000,039,976 | ---- | M] (Lenovo.) [On_Demand | Stopped] -- C:\Windows\System32\TPHDEXLG.exe -- (TPHDEXLGSVC)

SRV - [2009/06/04 19:03:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)

SRV - [2008/09/16 11:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)

SRV - [2008/07/15 16:09:52 | 000,090,112 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEADISRV.EXE -- (AEADIFilters)

SRV - [2008/04/25 07:15:24 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)

SRV - [2007/01/04 18:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\HSX_CNXT.sys -- (winachsf)

DRV - File not found [Kernel | Auto | Stopped] -- C:\Windows\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\HSXHWAZL.sys -- (HSXHWAZL)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\HSX_DPV.sys -- (HSF_DPV)

DRV - [2010/11/29 12:44:00 | 000,015,264 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)

DRV - [2010/09/28 03:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20101129.002\NAVEX15.SYS -- (NAVEX15)

DRV - [2010/09/28 03:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20101129.002\NAVENG.SYS -- (NAVENG)

DRV - [2010/09/23 02:46:08 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2010/05/26 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/05/26 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/12/17 13:41:15 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)

DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)

DRV - [2009/10/27 12:38:36 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2009/09/09 02:05:00 | 000,011,552 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\TPPWR32V.SYS -- (TPPWRIF)

DRV - [2009/09/05 23:21:46 | 009,833,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2009/09/03 15:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)

DRV - [2009/09/03 15:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)

DRV - [2009/09/01 00:44:16 | 000,485,376 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atswpwdf.sys -- (ATSwpWDF)

DRV - [2009/08/26 10:54:38 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2009/08/25 19:05:44 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)

DRV - [2009/08/25 19:05:42 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)

DRV - [2009/08/25 19:05:42 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)

DRV - [2009/08/24 12:43:54 | 000,024,872 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ibmpmdrv.sys -- (IBMPMDRV)

DRV - [2009/08/24 12:32:48 | 005,073,920 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)

DRV - [2009/08/24 12:32:48 | 005,073,920 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atipmdag.sys -- (amdkmdag)

DRV - [2009/08/24 11:09:56 | 000,106,496 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)

DRV - [2009/08/24 10:54:58 | 005,924,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdpmd32.sys -- (intelkmd)

DRV - [2009/08/24 10:54:58 | 005,924,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)

DRV - [2009/08/23 21:40:32 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)

DRV - [2009/07/14 14:16:34 | 000,212,656 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)

DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)

DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)

DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)

DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)

DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)

DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)

DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)

DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)

DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)

DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)

DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)

DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)

DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)

DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)

DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)

DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)

DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)

DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)

DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)

DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)

DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)

DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)

DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)

DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)

DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)

DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)

DRV - [2009/07/13 20:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)

DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)

DRV - [2009/07/13 20:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)

DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)

DRV - [2009/07/13 20:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)

DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)

DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)

DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)

DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)

DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)

DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)

DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)

DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)

DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)

DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)

DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)

DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)

DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)

DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)

DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)

DRV - [2009/07/13 18:53:36 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\loop.sys -- (msloop)

DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)

DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)

DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)

DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\umpass.sys -- (UmPass)

DRV - [2009/07/13 18:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)

DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)

DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)

DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)

DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)

DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)

DRV - [2009/07/13 18:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)

DRV - [2009/07/13 18:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)

DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)

DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)

DRV - [2009/07/13 18:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)

DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)

DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)

DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)

DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)

DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)

DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)

DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)

DRV - [2009/07/13 17:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (SrvHsfV92)

DRV - [2009/07/13 17:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (SrvHsfWinac)

DRV - [2009/07/13 17:13:45 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (SrvHsfHDA)

DRV - [2009/07/13 17:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®

DRV - [2009/07/13 17:02:50 | 000,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®

DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)

DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)

DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)

DRV - [2009/07/01 17:05:10 | 000,232,472 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaNvStor.sys -- (iaNvStor) Intel®

DRV - [2009/06/29 12:51:04 | 000,117,800 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\DRIVERS\Apsx86.sys -- (Shockprf)

DRV - [2009/06/29 12:51:02 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\Windows\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)

DRV - [2009/06/04 18:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)

DRV - [2009/05/18 16:32:58 | 000,381,440 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV - [2009/03/13 13:47:26 | 000,012,560 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (smihlp) SMI Helper Driver (smihlp)

DRV - [2009/03/02 14:12:10 | 000,038,400 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\dgivecp.sys -- (DgiVecp)

DRV - [2009/03/02 14:12:10 | 000,005,120 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\SSPORT.SYS -- (SSPORT)

DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)

DRV - [2008/09/24 23:49:52 | 000,031,680 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\psadd.sys -- (psadd)

DRV - [2008/08/22 21:10:32 | 000,225,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1y6032.sys -- (e1yexpress) Intel®

DRV - [2008/05/12 17:04:04 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\Windows\System32\drivers\smiif32.sys -- (lenovo.smi)

DRV - [2008/02/15 17:01:18 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)

DRV - [2007/07/30 10:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)

DRV - [2007/07/30 09:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)

DRV - [2007/04/03 12:59:30 | 000,083,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s616bus.sys -- (s616bus) Sony Ericsson Device 616 driver (WDM)

DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\cvirta.sys -- (CVirtA)

DRV - [2002/06/24 07:18:52 | 000,013,909 | ---- | M] (Digilab, LLC.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\spect04.sys -- (spect04)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/securit...ponse/index.jsp

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/securit...ponse/index.jsp

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/securit...ponse/index.jsp

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/securit...ponse/index.jsp

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/securit...ponse/index.jsp

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 63 78 E2 8D 93 51 CA 01 [binary data]

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"

FF - prefs.js..browser.startup.homepage: "http://rpinfo.rpi.edu/"

FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 50370

FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/17 15:12:28 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/25 23:25:40 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/11/01 11:27:17 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/07/25 20:03:07 | 000,000,000 | ---D | M]

[2009/12/13 20:47:01 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Mozilla\Extensions

[2009/12/13 20:47:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leonam2\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010/10/04 10:24:40 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions

[2010/09/02 12:20:04 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

[2010/07/25 20:08:25 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

[2009/12/13 21:10:25 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Mozilla\Sunbird\Profiles\dr0mt39b.default\extensions

[2010/11/25 23:25:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/11/25 23:25:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

[2010/01/23 08:40:18 | 000,568,832 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp90.dll

[2010/01/23 08:40:18 | 000,655,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr90.dll

[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2007/05/16 10:30:04 | 000,036,864 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npSfAppM.dll

O1 HOSTS File: ([2010/05/24 16:42:40 | 000,395,402 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 10.254.254.253 AFS

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 13652 more lines...

O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()

O3 - HKU\S-1-5-21-3429796501-947903206-3345989695-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

O4 - HKLM..\Run: [iaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe (Intel Corporation)

O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)

O4 - HKLM..\Run: [TpShocks] C:\Windows\System32\TpShocks.exe (Lenovo.)

O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_22)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_22)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKU\S-1-5-21-3429796501-947903206-3345989695-1003 Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AfsLogon: DllName - C:\Program Files\OpenAFS\Client\Program\afslogon.dll - C:\Program Files\OpenAFS\Client\Program\afslogon.dll (OpenAFS Project)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\psfus: DllName - C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll - C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (UPEK Inc.)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O33 - MountPoints2\{050b319c-170f-11df-b9b6-ac73c3bcbcc3}\Shell - "" = AutoRun

O33 - MountPoints2\{050b319c-170f-11df-b9b6-ac73c3bcbcc3}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O33 - MountPoints2\{0f659e1a-40b5-11df-81ef-001a6b3ac97f}\Shell - "" = AutoRun

O33 - MountPoints2\{0f659e1a-40b5-11df-81ef-001a6b3ac97f}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O33 - MountPoints2\{38712a77-eb46-11de-9093-001c26f71a34}\Shell - "" = AutoRun

O33 - MountPoints2\{38712a77-eb46-11de-9093-001c26f71a34}\Shell\AutoRun\command - "" = E:\Setup.exe -- File not found

O33 - MountPoints2\{c228701e-08fa-11df-86b8-001c26f71a34}\Shell - "" = AutoRun

O33 - MountPoints2\{c228701e-08fa-11df-86b8-001c26f71a34}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found

O33 - MountPoints2\{ef796149-bf28-11de-a2e8-806e6f6e6963}\Shell - "" = AutoRun

O33 - MountPoints2\{ef796149-bf28-11de-a2e8-806e6f6e6963}\Shell\AutoRun\command - "" = D:\setup.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/30 09:57:11 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\leonam2\Desktop\OTL.exe

[2010/11/29 12:41:44 | 000,000,000 | ---D | C] -- C:\Users\leonam2\AppData\Local\Sunbelt Software

[2010/11/29 12:41:00 | 000,000,000 | -H-D | C] -- C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}

[2010/11/29 12:40:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2010/11/25 23:25:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun

[2010/11/25 23:25:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/11/23 13:03:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sanse Mp3 Art Sizer

[2010/11/23 12:34:22 | 000,000,000 | ---D | C] -- C:\Users\leonam2\AppData\Local\Apple Computer

[2010/11/21 17:46:08 | 000,000,000 | ---D | C] -- C:\Users\leonam2\Documents\The Witcher

[2010/11/21 17:46:08 | 000,000,000 | ---D | C] -- C:\Users\leonam2\AppData\Local\The Witcher

[2010/11/21 17:11:09 | 000,000,000 | ---D | C] -- C:\Program Files\The Witcher Enhanced Edition

[2010/11/21 17:10:51 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\The Witcher

[2010/11/20 16:38:57 | 000,000,000 | ---D | C] -- C:\Users\leonam2\Documents\Amazon Downloads

[2010/11/20 16:38:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Amazon

[2010/11/20 16:38:46 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Amazon Games & Software

[2010/11/20 16:38:46 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon

[2010/11/09 10:04:31 | 000,000,000 | ---D | C] -- C:\Users\leonam2\Documents\Games

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/30 09:57:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\leonam2\Desktop\OTL.exe

[2010/11/30 09:52:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3429796501-947903206-3345989695-1003UA.job

[2010/11/30 07:38:23 | 000,015,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2010/11/30 07:38:23 | 000,015,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2010/11/30 07:35:56 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2010/11/30 07:35:56 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2010/11/30 07:31:21 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job

[2010/11/30 07:30:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/11/30 07:30:05 | 1584,095,232 | -HS- | M] () -- C:\hiberfil.sys

[2010/11/29 21:45:26 | 000,007,046 | ---- | M] () -- C:\Users\leonam2\Desktop\Attach.zip

[2010/11/29 21:11:22 | 000,296,448 | ---- | M] () -- C:\Users\leonam2\Desktop\3ku0ritt.exe

[2010/11/29 21:05:39 | 000,630,272 | ---- | M] () -- C:\Users\leonam2\Desktop\dds.scr

[2010/11/29 20:59:56 | 000,000,020 | ---- | M] () -- C:\Users\leonam2\defogger_reenable

[2010/11/29 20:58:21 | 000,050,477 | ---- | M] () -- C:\Users\leonam2\Desktop\Defogger.exe

[2010/11/29 12:44:03 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys

[2010/11/29 12:40:58 | 000,001,124 | ---- | M] () -- C:\Users\leonam2\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk

[2010/11/29 12:40:58 | 000,001,100 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware.lnk

[2010/11/28 12:52:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3429796501-947903206-3345989695-1003Core.job

[2010/11/21 17:03:04 | 000,001,588 | ---- | M] () -- C:\Users\leonam2\Desktop\The Witcher.lnk

[2010/11/18 17:34:51 | 000,011,941 | ---- | M] () -- C:\Users\leonam2\Desktop\transcripts.pdf

[2010/11/17 17:11:33 | 000,002,131 | ---- | M] () -- C:\Users\leonam2\Desktop\Ligand Explorer.lnk

[2010/11/16 19:55:56 | 000,000,198 | ---- | M] () -- C:\Users\leonam2\vgalusr1.vr

[2010/11/16 19:17:21 | 000,193,833 | ---- | M] () -- C:\Users\leonam2\Desktop\3DFR.pdb

[2010/11/16 19:02:31 | 000,164,025 | ---- | M] () -- C:\Users\leonam2\Desktop\7DFR.pdb

[2010/11/14 21:43:37 | 000,000,204 | ---- | M] () -- C:\Windows\System32\okc14yq.dll

[2010/11/14 21:43:37 | 000,000,100 | ---- | M] () -- C:\Windows\System32\prsgrc.dll

[2010/11/07 21:31:06 | 000,023,034 | ---- | M] () -- C:\Users\leonam2\Documents\Expenses 2010-2011.xlsx

[2010/11/07 15:53:03 | 000,002,409 | ---- | M] () -- C:\Users\leonam2\Desktop\Google Chrome.lnk

[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/29 21:45:26 | 000,007,046 | ---- | C] () -- C:\Users\leonam2\Desktop\Attach.zip

[2010/11/29 21:11:20 | 000,296,448 | ---- | C] () -- C:\Users\leonam2\Desktop\3ku0ritt.exe

[2010/11/29 21:05:37 | 000,630,272 | ---- | C] () -- C:\Users\leonam2\Desktop\dds.scr

[2010/11/29 20:59:29 | 000,000,020 | ---- | C] () -- C:\Users\leonam2\defogger_reenable

[2010/11/29 20:58:20 | 000,050,477 | ---- | C] () -- C:\Users\leonam2\Desktop\Defogger.exe

[2010/11/29 12:47:16 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job

[2010/11/29 12:40:58 | 000,001,124 | ---- | C] () -- C:\Users\leonam2\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk

[2010/11/29 12:40:58 | 000,001,100 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware.lnk

[2010/11/23 13:03:44 | 000,503,808 | ---- | C] () -- C:\Windows\System32\AudioGenie2.ocx

[2010/11/21 17:03:04 | 000,001,588 | ---- | C] () -- C:\Users\leonam2\Desktop\The Witcher.lnk

[2010/11/18 17:34:51 | 000,011,941 | ---- | C] () -- C:\Users\leonam2\Desktop\transcripts.pdf

[2010/11/17 17:11:33 | 000,002,131 | ---- | C] () -- C:\Users\leonam2\Desktop\Ligand Explorer.lnk

[2010/11/16 19:17:19 | 000,193,833 | ---- | C] () -- C:\Users\leonam2\Desktop\3DFR.pdb

[2010/11/16 19:02:30 | 000,164,025 | ---- | C] () -- C:\Users\leonam2\Desktop\7DFR.pdb

[2010/10/28 23:43:27 | 000,544,256 | ---- | C] () -- C:\Windows\System32\janGraphics.dll

[2010/09/07 11:38:14 | 000,241,664 | ---- | C] () -- C:\Windows\System32\hppapr04.dll

[2010/07/23 11:04:17 | 000,014,358 | ---- | C] () -- C:\Windows\Merlin.ini

[2010/07/23 11:04:17 | 000,014,358 | ---- | C] () -- C:\Windows\Merlin Default.ini

[2010/07/23 11:04:14 | 000,139,264 | ---- | C] () -- C:\Windows\System32\PLSiqP32.dll

[2010/05/09 20:32:40 | 000,000,602 | ---- | C] () -- C:\Users\leonam2\AppData\Roaming\AutoGK.ini

[2010/04/17 20:19:55 | 000,000,362 | RHS- | C] () -- C:\ProgramData\ntuser.pol

[2010/04/11 19:27:02 | 000,212,992 | ---- | C] () -- C:\Windows\System32\WMIMPLEX.dll

[2010/04/11 19:27:02 | 000,040,960 | ---- | C] () -- C:\Windows\System32\maplec.dll

[2010/04/11 19:27:02 | 000,020,480 | ---- | C] () -- C:\Windows\System32\maplecompat.dll

[2010/01/27 16:23:40 | 000,000,287 | ---- | C] () -- C:\Windows\ChemDraw.ini

[2010/01/27 16:23:40 | 000,000,107 | ---- | C] () -- C:\Windows\Npc3ds.ini

[2010/01/01 21:06:54 | 000,007,588 | ---- | C] () -- C:\Users\leonam2\AppData\Local\Resmon.ResmonCfg

[2010/01/01 20:29:01 | 000,005,120 | ---- | C] () -- C:\Users\leonam2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/01/01 19:00:31 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini

[2010/01/01 19:00:26 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2009/12/15 20:37:44 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat

[2009/10/28 13:43:20 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll

[2009/10/28 13:43:20 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll

[2009/10/28 13:43:20 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll

[2009/10/28 13:43:20 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll

[2009/10/28 13:43:20 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll

[2009/10/28 13:43:20 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll

[2009/10/26 09:16:02 | 001,731,104 | ---- | C] () -- C:\Windows\System32\nvwdmcpl.dll

[2009/10/26 09:16:02 | 001,514,016 | ---- | C] () -- C:\Windows\System32\nView.dll

[2009/10/26 09:16:02 | 001,108,512 | ---- | C] () -- C:\Windows\System32\nvwimg.dll

[2009/10/26 09:16:02 | 000,473,632 | ---- | C] () -- C:\Windows\System32\nvShell.dll

[2009/08/23 21:41:22 | 000,197,424 | ---- | C] () -- C:\Windows\System32\vpnapi.dll

[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll

[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

[2009/07/13 18:16:43 | 000,001,025 | ---- | C] () -- C:\Windows\System32\m2u63d9.dll

[2009/07/13 18:16:43 | 000,001,025 | ---- | C] () -- C:\Windows\System32\grcauth2.dll

[2009/07/13 18:16:43 | 000,001,025 | ---- | C] () -- C:\Windows\System32\grcauth1.dll

[2009/07/13 18:16:43 | 000,001,025 | ---- | C] () -- C:\Windows\System32\clauth2.dll

[2009/07/13 18:16:43 | 000,001,025 | ---- | C] () -- C:\Windows\System32\clauth1.dll

[2009/07/13 18:16:43 | 000,000,204 | ---- | C] () -- C:\Windows\System32\okc14yq.dll

[2009/07/13 18:16:43 | 000,000,100 | ---- | C] () -- C:\Windows\System32\prsgrc.dll

[2009/07/13 18:16:43 | 000,000,072 | ---- | C] () -- C:\Windows\System32\ssprs.dll

[2009/07/13 18:16:43 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\mb6a5lr.dll

[2009/04/09 20:05:54 | 016,614,648 | ---- | C] () -- C:\Windows\System32\TrueSuiteCoInst.dll

[2007/05/08 03:52:16 | 000,245,760 | R--- | C] () -- C:\Windows\System32\setupsup.dll

[1996/03/22 00:32:26 | 000,162,304 | ---- | C] () -- C:\Windows\System32\DLWBC31.DLL

========== LOP Check ==========

[2009/10/20 14:09:05 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\CachedFiles

[2009/10/20 14:09:05 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\CachedFiles

[2010/03/08 22:14:41 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\acccore

[2010/08/13 22:23:00 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Audacity

[2009/10/20 14:09:05 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\CachedFiles

[2010/02/10 14:28:42 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\DAEMON Tools Lite

[2010/04/18 14:34:01 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Dr. DivX 2.0 OSS

[2009/12/23 00:08:51 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\GetGo Software

[2010/01/01 20:59:37 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\InterVideo

[2010/04/11 19:40:53 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Maple

[2009/12/13 20:47:00 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\Thunderbird

[2010/04/26 21:21:11 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\VanDyke

[2010/04/26 21:11:52 | 000,000,000 | ---D | M] -- C:\Users\leonam2\AppData\Roaming\WinBatch

[2009/10/20 14:09:05 | 000,000,000 | ---D | M] -- C:\Users\Mcx1-LEONAM2T61\AppData\Roaming\CachedFiles

[2010/11/30 07:31:21 | 000,000,370 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job

[2010/02/18 14:33:50 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 1113 bytes -> C:\Users\leonam2\Documents\Registration Confirmation 240th ACS National Meeting & Exposition.eml:OECustomProperty

< End of report >

Extras:

OTL Extras logfile created on: 11/30/2010 9:59:34 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\leonam2\Desktop

Enterprise Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 41.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 29.05 Gb Free Space | 19.49% Space Free | Partition Type: NTFS

Computer Name: LEONAM2T61 | User Name: leonam2 | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3429796501-947903206-3345989695-1003\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- C:\Users\leonam2\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{02383859-C71C-4AE0-80C9-12552ADA6B1E}" = Adobe Setup

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4

"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4

"{08B785C1-3893-4154-B53B-F5D341D0AAAA}" = Cisco Systems VPN Client 5.0.06.0110

"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data

"{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService

"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler

"{0B561CF4-0C7D-4745-AF53-161E24E44F87}" = Adobe CS4 Italian Speech Analysis Models

"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4

"{12377A05-0062-47F9-9CB9-AAAF8C22D645}" = SciFinder Scholar 2007

"{14F70205-1940-4000-88C7-BE799A6B2CAD}" = Adobe Soundbooth CS4

"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4

"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility

"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR

"{1DB0BD6C-F04A-4DB1-A931-F677F5C1F91D}" = 3DVIA Player

"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools

"{1FD653A8-9CFA-4392-B89C-CCDB114DE442}" = Adobe CS4 Spanish Speech Analysis Models

"{25C64847-B900-48AD-A164-1B4F9B774650}" = System Update

"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java 6 Update 22

"{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}" = Adobe CS4 American English Speech Analysis Models

"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection

"{31423F74-36B2-4d24-B10D-CD00BFB7C118}" = Intel

Link to post
Share on other sites

First post was too long with the RKU log. Posted it below:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows 7

Version 6.1.7600

Number of processors #2

==============================================

>Drivers

==============================================

0x97201000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 9826304 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 186.94 )

0x96838000 C:\Windows\system32\DRIVERS\netw5v32.sys 4272128 bytes (Intel Corporation, Intel

Link to post
Share on other sites

Hi again, indeed some proxies showing up in your logs. Lets see if we can get rid both of them and the malware that causes them.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Log.txt in your next reply.

Link to post
Share on other sites

Ran ComboFix. Says it deleted a bunch of files, including ones for lab software I use for my classes (Ad-Aware thought this was spyware as well). Log is posted below:

ComboFix 10-11-29.05 - leonam2 11/30/2010 10:54:25.1.2 - x86

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2014.791 [GMT -5:00]

Running from: c:\users\leonam2\Desktop\ComboFix.exe

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\MicroLab

c:\program files\MicroLab\Calibrations\Sample pH LW.cft

c:\program files\MicroLab\Calibrations\Sample pH.cft

c:\program files\MicroLab\Calibrations\Sample Temp IC.cft

c:\program files\MicroLab\Calibrations\Sample Temp Thermistor LW.cft

c:\program files\MicroLab\Getting Started.pdf

c:\program files\MicroLab\MicroLAB Help.chm

c:\program files\MicroLab\Saved Experiments\Color Sample.col

c:\program files\MicroLab\Saved Experiments\Crystal Violet Sample.kin

c:\program files\MicroLab\Saved Experiments\Energy of Light Sample.elt

c:\program files\MicroLab\Saved Experiments\Kinetic Half-Life Sample.hlf

c:\program files\MicroLab\Saved Experiments\Mix Sample.cmx

c:\program files\MicroLab\Saved Experiments\Model 215 Half-Life Sample.hlf

c:\program files\MicroLab\Saved Experiments\Thallium Half Life.hlf

c:\program files\MicroLab\Simulations\Beers Law.sim

c:\program files\MicroLab\Simulations\Fluorescence.sim

c:\program files\MicroLab\uLAB.exe

c:\program files\MicroLab\uninstal.log

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\okc14yq.dll

c:\windows\system32\prsgrc.dll

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-30 15:51 . 2010-11-30 15:51 -------- d-----w- C:\32788R22FWJFW

2010-11-30 15:08 . 2010-11-30 15:08 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed

2010-11-30 12:45 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6233D53A-9B8A-4529-89B2-6C0D6B28EB34}\mpengine.dll

2010-11-29 17:41 . 2010-11-29 17:41 -------- d-----w- c:\users\leonam2\AppData\Local\Sunbelt Software

2010-11-29 17:41 . 2010-11-29 17:41 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-26 04:25 . 2010-11-26 04:25 -------- d-----w- c:\program files\Common Files\Java

2010-11-26 04:25 . 2010-09-15 09:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-26 04:25 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-25 01:38 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2010-11-23 18:03 . 2010-11-23 18:03 -------- d-----w- c:\program files\Sanse Mp3 Art Sizer

2010-11-23 18:03 . 2006-09-08 18:16 503808 ----a-w- c:\windows\system32\AudioGenie2.ocx

2010-11-23 17:34 . 2010-11-23 17:34 -------- d-----w- c:\users\leonam2\AppData\Local\Apple Computer

2010-11-21 22:46 . 2010-11-27 07:14 -------- d-----w- c:\users\leonam2\AppData\Local\The Witcher

2010-11-21 22:11 . 2010-11-21 22:29 -------- d-----w- c:\program files\The Witcher Enhanced Edition

2010-11-20 21:38 . 2010-11-20 21:38 -------- d-----w- c:\programdata\Amazon

2010-11-20 21:38 . 2010-11-20 21:38 -------- d-----w- c:\program files\Amazon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 17:44 . 2010-05-24 19:58 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-10-19 15:41 . 2009-10-26 18:50 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-09-23 07:46 . 2010-06-07 01:26 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-09-23 07:46 . 2010-05-24 21:25 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-08 04:30 . 2010-10-14 18:52 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28 . 2010-10-14 18:52 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22 . 2010-10-14 18:52 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48 . 2010-10-14 18:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2010-01-23 13:40 . 2010-01-27 02:12 568832 ----a-w- c:\program files\mozilla firefox\plugins\msvcp90.dll

2010-01-23 13:40 . 2010-01-27 02:12 655872 ----a-w- c:\program files\mozilla firefox\plugins\msvcr90.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\users\leonam2\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-10-03 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2009-07-09 337184]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-24 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-24 151064]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-09 714016]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2009-07-13 33304]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-1-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]

2009-09-30 22:48 95592 ----a-w- c:\program files\OpenAFS\Client\Program\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2009-08-17 18:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-27 19:24 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-11-29 1375992]

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]

R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]

R3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]

R3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]

R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-08-24 5073920]

R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-08-24 106496]

R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-09-01 485376]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]

R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [2009-08-24 5924864]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-11-29 15264]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-09 75040]

R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]

R3 spect04;Excalibur Spectrometer;c:\windows\system32\drivers\Spect04.sys [2002-06-24 13909]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-17 691696]

S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2009-07-01 232472]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-24 172032]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4446752]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 5120]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY

*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 17:43]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3429796501-947903206-3345989695-1003Core.job

- c:\users\leonam2\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-03 21:42]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3429796501-947903206-3345989695-1003UA.job

- c:\users\leonam2\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-03 21:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:50370

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

FF - component: c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - plugin: c:\program files\3DVIA\3DVIAStudioPlayer\bin\win32_dynamic\release\npvtmp3dlifeplayer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npSfAppM.dll

FF - plugin: c:\users\leonam2\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

SafeBoot-Symantec Antvirus

MSConfigStartUp-hsfe8owijfisjhgs7ye39gjsoighsd7y3eu - c:\users\leonam2\AppData\Local\Temp\ov6irt.exe

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys iaNvStor.sys

c:\windows\system32\DRIVERS\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver

c:\windows\system32\DRIVERS\iaNvStor.sys Intel Corporation Intel® Turbo Memory Driver

1 ntkrnlpa!IofCallDriver[0x82E8D458] -> \Device\Harddisk0\DR0[0x87959AA0]

3 CLASSPNP[0x893C459E] -> ntkrnlpa!IofCallDriver[0x82E8D458] -> [0x85B76370]

5 ACPI[0x88C9D3B2] -> ntkrnlpa!IofCallDriver[0x82E8D458] -> \Device\Ide\IAAStorageDevice-0[0x85B3A028]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user != kernel MBR !!!

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(604)

c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

.

Completion time: 2010-11-30 11:04:16

ComboFix-quarantined-files.txt 2010-11-30 16:04

Pre-Run: 31,075,459,072 bytes free

Post-Run: 30,700,658,688 bytes free

- - End Of File - - 9C1FCED37BB50ECDCDEA30DC35D08F3B

Link to post
Share on other sites

That looks like a legit application. You can reinstall that. If that is not possible, let me know and we'll dequarantine the files/folders.

Please let me know how the proxy problem is after running the following fix.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370

Firefox::
FF - ProfilePath - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 1

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Ran the ComboFix script. the log is below.

I haven't had any of the proxy problems since last night right before my OP on the forum.

Combofix log:

ComboFix 10-11-29.05 - leonam2 11/30/2010 11:46:55.2.2 - x86

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2014.892 [GMT -5:00]

Running from: c:\users\leonam2\Desktop\ComboFix.exe

Command switches used :: c:\users\leonam2\Desktop\CFScript.txt

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))

.

2010-11-30 16:53 . 2010-11-30 16:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2010-11-30 16:53 . 2010-11-30 16:53 -------- d-----w- c:\users\Mcx1-LEONAM2T61\AppData\Local\temp

2010-11-30 16:53 . 2010-11-30 16:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-11-30 16:53 . 2010-11-30 16:53 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2010-11-30 15:08 . 2010-11-30 15:08 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed

2010-11-30 12:45 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6233D53A-9B8A-4529-89B2-6C0D6B28EB34}\mpengine.dll

2010-11-29 17:41 . 2010-11-29 17:41 -------- d-----w- c:\users\leonam2\AppData\Local\Sunbelt Software

2010-11-29 17:41 . 2010-11-29 17:41 -------- dc-h--w- c:\programdata\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2010-11-26 04:25 . 2010-11-26 04:25 -------- d-----w- c:\program files\Common Files\Java

2010-11-26 04:25 . 2010-09-15 09:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2010-11-26 04:25 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-25 01:38 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2010-11-23 18:03 . 2010-11-23 18:03 -------- d-----w- c:\program files\Sanse Mp3 Art Sizer

2010-11-23 18:03 . 2006-09-08 18:16 503808 ----a-w- c:\windows\system32\AudioGenie2.ocx

2010-11-23 17:34 . 2010-11-23 17:34 -------- d-----w- c:\users\leonam2\AppData\Local\Apple Computer

2010-11-21 22:46 . 2010-11-27 07:14 -------- d-----w- c:\users\leonam2\AppData\Local\The Witcher

2010-11-21 22:11 . 2010-11-21 22:29 -------- d-----w- c:\program files\The Witcher Enhanced Edition

2010-11-20 21:38 . 2010-11-20 21:38 -------- d-----w- c:\programdata\Amazon

2010-11-20 21:38 . 2010-11-20 21:38 -------- d-----w- c:\program files\Amazon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-29 17:44 . 2010-05-24 19:58 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-10-19 15:41 . 2009-10-26 18:50 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-09-23 07:46 . 2010-06-07 01:26 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-09-23 07:46 . 2010-05-24 21:25 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-09-08 04:30 . 2010-10-14 18:52 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28 . 2010-10-14 18:52 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22 . 2010-10-14 18:52 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48 . 2010-10-14 18:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2010-01-23 13:40 . 2010-01-27 02:12 568832 ----a-w- c:\program files\mozilla firefox\plugins\msvcp90.dll

2010-01-23 13:40 . 2010-01-27 02:12 655872 ----a-w- c:\program files\mozilla firefox\plugins\msvcr90.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\users\leonam2\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-10-03 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2009-07-09 337184]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-24 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-24 151064]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-09-09 714016]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]

"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2009-07-13 33304]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-1-19 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]

2009-09-30 22:48 95592 ----a-w- c:\program files\OpenAFS\Client\Program\afslogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2009-08-17 18:27 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-27 19:24 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-11-29 1375992]

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-07-03 45424]

R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]

R3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]

R3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]

R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-08-24 5073920]

R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-08-24 106496]

R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-09-01 485376]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]

R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [2009-08-24 5924864]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-11-29 15264]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2009-09-09 75040]

R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]

R3 spect04;Excalibur Spectrometer;c:\windows\system32\drivers\Spect04.sys [2002-06-24 13909]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-17 691696]

S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2009-07-01 232472]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-06-29 20520]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-24 172032]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4446752]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 5120]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2009-07-15 62320]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY

*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 17:43]

2010-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3429796501-947903206-3345989695-1003Core.job

- c:\users\leonam2\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-03 21:42]

2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3429796501-947903206-3345989695-1003UA.job

- c:\users\leonam2\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-03 21:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://rpinfo.rpi.edu/

FF - component: c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\users\leonam2\AppData\Roaming\Mozilla\Firefox\Profiles\80c1h1vm.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.

device: opened successfully

user: error reading MBR

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys iaNvStor.sys

c:\windows\system32\DRIVERS\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver

c:\windows\system32\DRIVERS\iaNvStor.sys Intel Corporation Intel® Turbo Memory Driver

1 ntkrnlpa!IofCallDriver[0x82E8D458] -> \Device\Harddisk0\DR0[0x87959AA0]

3 CLASSPNP[0x893C459E] -> ntkrnlpa!IofCallDriver[0x82E8D458] -> [0x85B76370]

5 ACPI[0x88C9D3B2] -> ntkrnlpa!IofCallDriver[0x82E8D458] -> \Device\Ide\IAAStorageDevice-0[0x85B3A028]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user != kernel MBR !!!

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(604)

c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll

c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

c:\program files\ThinkVantage Fingerprint Software\infql2.dll

.

Completion time: 2010-11-30 11:55:53

ComboFix-quarantined-files.txt 2010-11-30 16:55

ComboFix2.txt 2010-11-30 16:04

Pre-Run: 30,760,837,120 bytes free

Post-Run: 30,688,669,696 bytes free

- - End Of File - - 540E17B12F1E619A41D3E9DAE321B893

Link to post
Share on other sites

Ran a full scan, log is below. Still no problems that I've encountered. ;)

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5220

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

11/30/2010 1:34:07 PM

mbam-log-2010-11-30 (13-34-07).txt

Scan type: Full scan (C:\|)

Objects scanned: 322385

Time elapsed: 1 hour(s), 15 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Looks good indeed. Lets do one last scan for leftovers.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

I ran ESETScanner. It found three threats and cleaned them. List is below.

C:\Users\leonam2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\627f3a69-484e2952 multiple threats deleted - quarantined

C:\Users\leonam2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\fa54f6f-7df10485 a variant of Java/Rowindal.C trojan deleted - quarantined

C:\Users\leonam2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\2371d6c6-6449c3a9 multiple threats deleted - quarantined

Link to post
Share on other sites

Those were just some leftovers, which means you are all cleaned up. ;)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :D

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, Rootkit Unhooker, GMER (this is a random named file) and OTL.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.