Jump to content

Rootkit on System - a challenge to your skills


Recommended Posts

Back in December I noticed that my PC stopped going into standby at night and then I noticed the hard drive light on when nothing was supposed to be running. Since then I have spent perhaps 48 to 60 hours of my time running every tool imaginable without success, although the tools have found a couple purported trojan and backdoor applications in seriously old files on my system. :)

My system now consistently reports clean of trojans and other Malware, but Process Monitor (and that blinking LED!) still shows what looks like suspicious activity to me. Now I am turning to you experts hoping you can find a way to clean this from my system.

The files do not show it clearly but this is a dual boot system with Ubuntu 10.10 as the other system.

One other clue: when I first noticed the strange activity and blinking LED and then began searching for the source of the blinking LED my fans were acting weirdly, speeding up and slowing down for no apparent reason - a change from the usually well controlled behavior. My system may be an older one but it has been well maintained and monitored. At the present time this odd behavior has stopped, although the LED still blinks and the files keep being opened and closed.

Here are the requested files: Thanks in advance for whatever help you may provide! :)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5684

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/5/2011 10:05:22 AM

mbam-log-2011-02-05 (10-05-22).txt

Scan type: Quick scan

Objects scanned: 214552

Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFSx86

Run by William Osipoff at 9:47:42.18 on Sat 02/05/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1414 [GMT -5:00]

AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: ZoneAlarm Extreme Security Firewall *Disabled*

FW: Kaspersky Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\William Osipoff\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride =

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll

BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

uRun: [NIRegistrationWizard] c:\program files\national instruments\shared\registrationwizard\bin\RegistrationWizard.exe -autoDiscover 1 -displayIfNoneFound 0 -displayRegisterOptions 1 -sleepIfNoneFound 0 -locale 1033

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

mRun: [openvpn-gui] c:\program files\openvpn\bin\openvpn-gui.exe

mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

StartupFolder: c:\docume~1\willia~1\startm~1\programs\startup\x10com~1.lnk - c:\program files\home control\X10BURST.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spbbac~1.lnk - c:\program files\spb backup\SpbBackupSync.exe

IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

Trusted Zone: nvidia.com\www

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190709753484

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -

WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willia~1\applic~1\mozilla\firefox\profiles\raabsthh.bill\

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv2010win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv90win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\mozilla firefox\plugins\nppl3260.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nprjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nprpjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2010-3-24 15448]

R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [2010-6-21 58504]

R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [2010-6-21 42136]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-11-5 475736]

R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [2008-8-26 39824]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2007-4-16 37376]

R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2007-4-16 21504]

R2 nicanpk;nicanpk;c:\windows\system32\drivers\nicanpkl.sys [2010-6-11 11408]

R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [2007-4-16 674304]

R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2007-4-16 50688]

R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2007-4-16 30208]

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2010-6-14 11416]

R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [2007-4-16 111616]

R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [2010-6-17 19608]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2010-6-23 11432]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 kcanv;Kvaser Virtual CAN Driver;c:\windows\system32\drivers\kcanv.sys [2009-10-21 52016]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

R3 kvnetenum;Kvaser Network Enumerator;c:\windows\system32\drivers\kvnetenum.sys [2009-10-21 26672]

R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [2008-8-26 162096]

S0 kudw;kudw;c:\windows\system32\drivers\jjogtba.sys --> c:\windows\system32\drivers\jjogtba.sys [?]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\willia~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\willia~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\willia~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\willia~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ISWKL;ZoneAlarm ForceField ISWKL;\??\c:\program files\checkpoint\zaforcefield\iswkl.sys --> c:\program files\checkpoint\zaforcefield\ISWKL.sys [?]

S3 cmuda2;Audio Advantage Micro Interface;c:\windows\system32\drivers\cmuda2.sys [2010-11-21 705536]

S3 flash;flash;\??\c:\documents and settings\william osipoff\my documents\download\pc repairs\serenity\bios_v1.10_dos_winx86x64\x86\flash.sys --> c:\documents and settings\william osipoff\my documents\download\pc repairs\serenity\bios_v1.10_dos_winx86x64\x86\flash.sys [?]

S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2008-12-5 20104]

S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2.tmp [2011-1-31 6144]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2010-6-21 26192]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2010-6-21 11344]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2010-6-21 22608]

S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2009-12-15 17480]

S3 nicanpkw;NI-CAN Driver;c:\windows\system32\drivers\nicanpkw.sys [2009-9-11 11336]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2009-7-17 11352]

S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [2010-6-15 11440]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2010-6-15 11408]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2010-6-11 11432]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2010-2-25 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2010-2-6 11344]

S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [2009-5-27 11360]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2010-6-15 11408]

S3 niemrkw;niemrkw;c:\windows\system32\drivers\niemrkw.sys --> c:\windows\system32\drivers\niemrkw.sys [?]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2010-6-15 11408]

S3 nigplk;nigplk;c:\windows\system32\drivers\nigplkl.sys [2009-6-17 11640]

S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [2009-4-8 11352]

S3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2009-8-24 11360]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2010-2-2 11904]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2009-7-23 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2009-7-23 151683]

S3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2010-2-1 11872]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2010-2-1 11880]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2010-2-5 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2010-6-2 11968]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2010-6-2 11968]

S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [2009-6-11 11392]

S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2010-6-14 21144]

S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [2010-6-15 11400]

S3 nirfsa2k;nirfsa2k;c:\windows\system32\drivers\niRFSA2kl.sys [2009-6-1 11328]

S3 niRFSGk;niRFSGk;c:\windows\system32\drivers\niRFSGkl.sys [2009-4-27 11328]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2009-7-14 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2010-2-10 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2010-2-5 11344]

S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [2009-6-18 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2009-7-14 11376]

S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [2009-6-26 11352]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2010-6-15 11408]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2009-1-5 11312]

S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [2010-5-3 11400]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2009-8-31 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2009-9-1 11336]

S3 niSynck;niSynck;c:\windows\system32\drivers\niSynckl.sys [2010-6-22 11408]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2010-2-6 11360]

S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [2009-4-10 11328]

S3 nitsuk;nitsuk;c:\windows\system32\drivers\nitsukl.sys [2010-5-5 11424]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2010-6-15 11432]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2010-6-23 11432]

S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [2009-8-14 28256]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2010-6-15 11408]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2010-6-15 11408]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 332928]

S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\drivers\usb6xxxkw.sys --> c:\windows\system32\drivers\usb6xxxkw.sys [?]

S3 uti2njex;AVZ Kernel Driver;\??\c:\windows\system32\drivers\uti2njex.sys --> c:\windows\system32\drivers\uti2njex.sys [?]

S3 VPCASp50;VPCASp50 NDIS Protocol Driver;c:\windows\system32\drivers\VPCASp50.sys [2010-3-8 27072]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2010-11-21 7040]

S4 BKRUEK;BKRUEK;c:\docume~1\willia~1\locals~1\temp\bkruek.exe --> c:\docume~1\willia~1\locals~1\temp\BKRUEK.exe [?]

S4 CI;CI;c:\docume~1\willia~1\locals~1\temp\ci.exe --> c:\docume~1\willia~1\locals~1\temp\CI.exe [?]

S4 gupdate1c98f9c655555b2;Google Update Service (gupdate1c98f9c655555b2);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]

S4 IswSvc;ZoneAlarm ForceField IswSvc;"c:\program files\checkpoint\zaforcefield\iswsvc.exe" --> c:\program files\checkpoint\zaforcefield\IswSvc.exe [?]

S4 KvEnumSrv;Kvaser Network Enumerator Service;c:\program files\kvaser\drivers\KvEnumSrv.exe [2009-10-21 72208]

S4 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2010-3-24 12696]

S4 NIApplicationWebServer;NI Application Web Server;c:\program files\national instruments\shared\ni webserver\ApplicationWebServer.exe [2010-6-22 47776]

S4 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2010-3-24 12696]

S4 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2010-6-23 131776]

S4 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2010-6-23 193712]

S4 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [2010-6-26 31880]

S4 nitsuu;nitsuu;c:\windows\system32\nipalsm.exe [2010-3-24 12696]

S4 PAQXN;PAQXN;c:\docume~1\willia~1\locals~1\temp\paqxn.exe --> c:\docume~1\willia~1\locals~1\temp\PAQXN.exe [?]

S4 SUPLQB;SUPLQB;c:\docume~1\willia~1\locals~1\temp\suplqb.exe --> c:\docume~1\willia~1\locals~1\temp\SUPLQB.exe [?]

S4 TPGYOG;TPGYOG;c:\docume~1\willia~1\locals~1\temp\tpgyog.exe --> c:\docume~1\willia~1\locals~1\temp\TPGYOG.exe [?]

=============== Created Last 30 ================

2011-02-03 00:40:33 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-02-03 00:40:33 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2011-02-03 00:39:20 -------- d-----w- c:\program files\Kaspersky Lab

2011-02-03 00:39:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2011-02-01 00:30:37 6144 ------w- c:\windows\system32\2.tmp

2011-02-01 00:30:26 6144 ------w- c:\windows\system32\1.tmp

2011-01-30 23:38:40 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2011-01-28 17:12:32 6144 ------w- c:\windows\system32\5.tmp

2011-01-28 17:12:21 6144 ------w- c:\windows\system32\4.tmp

2011-01-28 17:12:12 -------- d-----w- c:\program files\Sophos

2011-01-23 18:46:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2011-01-23 14:34:45 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-01-15 23:00:17 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2011-01-15 22:59:59 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2011-01-15 22:59:25 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2011-01-14 18:16:41 3584 ----a-r- c:\docume~1\willia~1\applic~1\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe

2011-01-14 18:16:41 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-01-14 18:12:58 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-01-14 15:14:44 -------- d-----w- c:\docume~1\willia~1\applic~1\SUPERAntiSpyware.com

2011-01-14 15:14:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-01-14 00:51:53 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin

2011-01-14 00:51:53 446464 ----a-w- c:\windows\system32\nvunrm.exe

2011-01-09 22:41:58 -------- d-----w- c:\program files\trend micro

2011-01-07 17:40:06 -------- d---a-w- C:\.Trash-1000

2011-01-06 23:50:01 102400 ----a-w- c:\windows\RegBootClean.exe

==================== Find3M ====================

2011-01-15 22:59:20 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-01-02 20:00:00 60416 ----a-w- c:\windows\ALCFDRTM.VER

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-28 23:35:35 194560 ----a-w- c:\windows\ASUS_Ai_Proactive_Screensaver (E).scr

2010-11-28 23:35:23 606848 ----a-w- c:\windows\flashax.exe

2010-11-28 23:35:22 12288 ----a-w- c:\windows\impborl.dll

2010-11-26 19:52:43 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-11-26 19:52:43 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-11-26 19:52:36 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe

============= FINISH: 9:50:00.17 ===============

Attach.zip

Link to post
Share on other sites

  • Replies 111
  • Created
  • Last Reply

Top Posters In This Topic

Hello BillinDetroit! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please visit www.virustotal.com and upload the following file:

c:\windows\system32\nvunrm.exe

Post the resaults in your next reply.

Link to post
Share on other sites

Borislav: Thank you for taking the time to assist me.

I uploaded the file per your request and it looked clean to the scan. Here is what was said:

"0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

nvunrm.exe

Submission date:

2011-02-06 00:49:55 (UTC)

Current status:

queued (#1162) queued (#1162) analysing finished

Result:

0/ 43 (0.0%)"

What would you like me to try next?

Bill

Hello BillinDetroit! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please visit www.virustotal.com and upload the following file:

c:\windows\system32\nvunrm.exe

Post the resaults in your next reply.

Link to post
Share on other sites

I want to mention that while I was awaiting the initial reply (which turned out to be yours) I tried running rootkit unhooker 3.8.388.590 Type LE, which did seen to indicate some issues with a rootkit. Not wanting to make matters worse I did not "unhook" anything.

Thanks again for your help. I await your next post.

Borislav: Thank you for taking the time to assist me.

I uploaded the file per your request and it looked clean to the scan. Here is what was said:

"0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

nvunrm.exe

Submission date:

2011-02-06 00:49:55 (UTC)

Current status:

queued (#1162) queued (#1162) analysing finished

Result:

0/ 43 (0.0%)"

What would you like me to try next?

Bill

Link to post
Share on other sites

  1. Please download the Suspicious File Packer (by Safer Networking Limited) and unzip to your desktop.
  2. Run sfp.exe
  3. Copy the following part of code box into the SFP window:
    c:\windows\system32\drivers\jjogtba.sys
    c:\windows\system32\drivers\kudw.sys
    C:\Documents and Settings\William Osipoff\Local Settings\temp\bkruek.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\ci.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\paqxn.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\suplqb.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\tpgyog.exe


  4. Allow SFP to pack the file and then will be generate a CAB archive on your desktop.

Next, please upload this archive here:

http://forums.malwarebytes.org/index.php?showforum=51

But first read the rules:

http://forums.malwarebytes.org/index.php?showtopic=31067

Link to post
Share on other sites

Borislav: Once again I thank you for your support on this issue. However, I told you it would not be easy. This would be a lot easier if the files you asked for existed on my computer. They show up as services in the registry but they do not exist in the locations listed (or anywhere else on my computer).

This may be because the Kaspersky Internet Security running on my PC found "Trojan.Downloader.Win32.CodecPack.SJT" in the file E9C3E587.exe in the windows/system32 directory and cleaned it last night, after I had posted the files and created the original topic. The cleaning required a reboot and it continued after the reboot and found the computer to be clean. However, I still see activity on my machine that is unaccounted for.

I downloaded and ran the Suspicious File Packer anyway and had the file scanned at Virus Total, which found nothing - I did not post it there because the file size is only 466 bytes - I am pretty sure the file is empty. Do you think I should post it anyway?

Thanks again for your help.

  1. Please download the Suspicious File Packer (by Safer Networking Limited) and unzip to your desktop.
  2. Run sfp.exe
  3. Copy the following part of code box into the SFP window:
    c:\windows\system32\drivers\jjogtba.sys
    c:\windows\system32\drivers\kudw.sys
    C:\Documents and Settings\William Osipoff\Local Settings\temp\bkruek.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\ci.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\paqxn.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\suplqb.exe
    C:\Documents and Settings\William Osipoff\Local Settings\temp\tpgyog.exe


  4. Allow SFP to pack the file and then will be generate a CAB archive on your desktop.

Next, please upload this archive here:

http://forums.malwarebytes.org/index.php?showforum=51

But first read the rules:

http://forums.malwarebytes.org/index.php?showtopic=31067

Link to post
Share on other sites

may be because the Kaspersky Internet Security running on my PC found "Trojan.Downloader.Win32.CodecPack.SJT" in the file E9C3E587.exe in the windows/system32 directory and cleaned it last night, after I had posted the files and created the original topic. The cleaning required a reboot and it continued after the reboot and found the computer to be clean. However, I still see activity on my machine that is unaccounted for.

You had to tell me because it is very important.

Please manually update your Kaspersky, perform a full system scan and post a new fresh DDS log file.

Link to post
Share on other sites

Here are the files you requested.

DDS (Ver_10-12-12.02) - NTFSx86

Run by William Osipoff at 5:36:55.56 on Mon 02/07/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1241 [GMT -5:00]

AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: ZoneAlarm Extreme Security Firewall *Disabled*

FW: Kaspersky Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Spb Backup\SpbBackupSync.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\William Osipoff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride =

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll

BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

uRun: [NIRegistrationWizard] c:\program files\national instruments\shared\registrationwizard\bin\RegistrationWizard.exe -autoDiscover 1 -displayIfNoneFound 0 -displayRegisterOptions 1 -sleepIfNoneFound 0 -locale 1033

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"

mRun: [openvpn-gui] c:\program files\openvpn\bin\openvpn-gui.exe

mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe

StartupFolder: c:\docume~1\willia~1\startm~1\programs\startup\x10com~1.lnk - c:\program files\home control\X10BURST.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spbbac~1.lnk - c:\program files\spb backup\SpbBackupSync.exe

IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html

IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll

Trusted Zone: nvidia.com\www

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190709753484

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -

WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -

WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willia~1\applic~1\mozilla\firefox\profiles\raabsthh.bill\

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv2010win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv85win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv86win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nplv90win32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\mozilla firefox\plugins\nppl3260.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nprjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nprpjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2010-3-24 15448]

R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [2010-6-21 58504]

R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [2010-6-21 42136]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-11-5 475736]

R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [2008-8-26 39824]

R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe [2010-11-2 365336]

R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2007-4-16 37376]

R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2007-4-16 21504]

R2 nicanpk;nicanpk;c:\windows\system32\drivers\nicanpkl.sys [2010-6-11 11408]

R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [2007-4-16 674304]

R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2007-4-16 50688]

R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2007-4-16 30208]

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2010-6-14 11416]

R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [2007-4-16 111616]

R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [2010-6-17 19608]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2010-6-23 11432]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 kcanv;Kvaser Virtual CAN Driver;c:\windows\system32\drivers\kcanv.sys [2009-10-21 52016]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

R3 kvnetenum;Kvaser Network Enumerator;c:\windows\system32\drivers\kvnetenum.sys [2009-10-21 26672]

R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [2008-8-26 162096]

S0 kudw;kudw;c:\windows\system32\drivers\jjogtba.sys --> c:\windows\system32\drivers\jjogtba.sys [?]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\willia~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\willia~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\willia~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\willia~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ISWKL;ZoneAlarm ForceField ISWKL;\??\c:\program files\checkpoint\zaforcefield\iswkl.sys --> c:\program files\checkpoint\zaforcefield\ISWKL.sys [?]

S3 cmuda2;Audio Advantage Micro Interface;c:\windows\system32\drivers\cmuda2.sys [2010-11-21 705536]

S3 flash;flash;\??\c:\documents and settings\william osipoff\my documents\download\pc repairs\serenity\bios_v1.10_dos_winx86x64\x86\flash.sys --> c:\documents and settings\william osipoff\my documents\download\pc repairs\serenity\bios_v1.10_dos_winx86x64\x86\flash.sys [?]

S3 icsak;icsak;\??\c:\program files\checkpoint\zaforcefield\ak\icsak.sys --> c:\program files\checkpoint\zaforcefield\ak\icsak.sys [?]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2008-12-5 20104]

S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2.tmp [2011-1-31 6144]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2010-6-21 26192]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2010-6-21 11344]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [2010-6-21 22608]

S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2009-12-15 17480]

S3 nicanpkw;NI-CAN Driver;c:\windows\system32\drivers\nicanpkw.sys [2009-9-11 11336]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2009-7-17 11352]

S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [2010-6-15 11440]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2010-6-15 11408]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2010-6-11 11432]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2010-2-25 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2010-2-6 11344]

S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [2009-5-27 11360]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2010-6-15 11408]

S3 niemrkw;niemrkw;c:\windows\system32\drivers\niemrkw.sys --> c:\windows\system32\drivers\niemrkw.sys [?]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2010-6-15 11408]

S3 nigplk;nigplk;c:\windows\system32\drivers\nigplkl.sys [2009-6-17 11640]

S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [2009-4-8 11352]

S3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2009-8-24 11360]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2010-2-2 11904]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2009-7-23 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2009-7-23 151683]

S3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2010-2-1 11872]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2010-2-1 11880]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2010-2-5 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2010-6-2 11968]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2010-6-2 11968]

S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [2009-6-11 11392]

S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2010-6-14 21144]

S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [2010-6-15 11400]

S3 nirfsa2k;nirfsa2k;c:\windows\system32\drivers\niRFSA2kl.sys [2009-6-1 11328]

S3 niRFSGk;niRFSGk;c:\windows\system32\drivers\niRFSGkl.sys [2009-4-27 11328]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2009-7-14 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2010-2-10 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2010-2-5 11344]

S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [2009-6-18 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2009-7-14 11376]

S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [2009-6-26 11352]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2010-6-15 11408]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2009-1-5 11312]

S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [2010-5-3 11400]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2009-8-31 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2009-9-1 11336]

S3 niSynck;niSynck;c:\windows\system32\drivers\niSynckl.sys [2010-6-22 11408]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2010-2-6 11360]

S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [2009-4-10 11328]

S3 nitsuk;nitsuk;c:\windows\system32\drivers\nitsukl.sys [2010-5-5 11424]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2010-6-15 11432]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2010-6-23 11432]

S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [2009-8-14 28256]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2010-6-15 11408]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2010-6-15 11408]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 332928]

S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\drivers\usb6xxxkw.sys --> c:\windows\system32\drivers\usb6xxxkw.sys [?]

S3 uti2njex;AVZ Kernel Driver;\??\c:\windows\system32\drivers\uti2njex.sys --> c:\windows\system32\drivers\uti2njex.sys [?]

S3 VPCASp50;VPCASp50 NDIS Protocol Driver;c:\windows\system32\drivers\VPCASp50.sys [2010-3-8 27072]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2010-11-21 7040]

S4 BKRUEK;BKRUEK;c:\docume~1\willia~1\locals~1\temp\bkruek.exe --> c:\docume~1\willia~1\locals~1\temp\BKRUEK.exe [?]

S4 CI;CI;c:\docume~1\willia~1\locals~1\temp\ci.exe --> c:\docume~1\willia~1\locals~1\temp\CI.exe [?]

S4 gupdate1c98f9c655555b2;Google Update Service (gupdate1c98f9c655555b2);c:\program files\google\update\GoogleUpdate.exe [2009-2-15 133104]

S4 IswSvc;ZoneAlarm ForceField IswSvc;"c:\program files\checkpoint\zaforcefield\iswsvc.exe" --> c:\program files\checkpoint\zaforcefield\IswSvc.exe [?]

S4 KvEnumSrv;Kvaser Network Enumerator Service;c:\program files\kvaser\drivers\KvEnumSrv.exe [2009-10-21 72208]

S4 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2010-3-24 12696]

S4 NIApplicationWebServer;NI Application Web Server;c:\program files\national instruments\shared\ni webserver\ApplicationWebServer.exe [2010-6-22 47776]

S4 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2010-3-24 12696]

S4 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\ivi foundation\visa\winnt\nivisa\niLxiDiscovery.exe [2010-6-23 131776]

S4 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\national instruments\shared\mdns responder\nimdnsResponder.exe [2010-6-23 193712]

S4 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [2010-6-26 31880]

S4 nitsuu;nitsuu;c:\windows\system32\nipalsm.exe [2010-3-24 12696]

S4 PAQXN;PAQXN;c:\docume~1\willia~1\locals~1\temp\paqxn.exe --> c:\docume~1\willia~1\locals~1\temp\PAQXN.exe [?]

S4 SUPLQB;SUPLQB;c:\docume~1\willia~1\locals~1\temp\suplqb.exe --> c:\docume~1\willia~1\locals~1\temp\SUPLQB.exe [?]

S4 TPGYOG;TPGYOG;c:\docume~1\willia~1\locals~1\temp\tpgyog.exe --> c:\docume~1\willia~1\locals~1\temp\TPGYOG.exe [?]

=============== Created Last 30 ================

2011-02-03 00:40:33 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-02-03 00:40:33 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2011-02-03 00:39:20 -------- d-----w- c:\program files\Kaspersky Lab

2011-02-03 00:39:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab

2011-02-01 00:30:37 6144 ------w- c:\windows\system32\2.tmp

2011-02-01 00:30:26 6144 ------w- c:\windows\system32\1.tmp

2011-01-30 23:38:40 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2011-01-28 17:12:32 6144 ------w- c:\windows\system32\5.tmp

2011-01-28 17:12:21 6144 ------w- c:\windows\system32\4.tmp

2011-01-28 17:12:12 -------- d-----w- c:\program files\Sophos

2011-01-23 18:46:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

2011-01-23 14:34:45 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-01-15 23:00:17 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2011-01-15 22:59:59 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2011-01-15 22:59:25 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2011-01-14 18:16:41 3584 ----a-r- c:\docume~1\willia~1\applic~1\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe

2011-01-14 18:16:41 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-01-14 18:12:58 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-01-14 15:14:44 -------- d-----w- c:\docume~1\willia~1\applic~1\SUPERAntiSpyware.com

2011-01-14 15:14:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-01-14 00:51:53 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin

2011-01-14 00:51:53 446464 ----a-w- c:\windows\system32\nvunrm.exe

2011-01-09 22:41:58 -------- d-----w- c:\program files\trend micro

==================== Find3M ====================

2011-01-15 22:59:20 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-01-06 23:50:01 102400 ----a-w- c:\windows\RegBootClean.exe

2011-01-02 20:00:00 60416 ----a-w- c:\windows\ALCFDRTM.VER

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-28 23:35:35 194560 ----a-w- c:\windows\ASUS_Ai_Proactive_Screensaver (E).scr

2010-11-28 23:35:23 606848 ----a-w- c:\windows\flashax.exe

2010-11-28 23:35:22 12288 ----a-w- c:\windows\impborl.dll

2010-11-26 19:52:43 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-11-26 19:52:43 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-11-26 19:52:36 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 5:38:15.90 ===============

You had to tell me because it is very important.

Please manually update your Kaspersky, perform a full system scan and post a new fresh DDS log file.

Attach.zip

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

I have attached the combofix.txt file:

Thanks again for your help.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

ComboFix.txt

Link to post
Share on other sites

I will collect and delete multiple files with this script. ComboFix will tell you whether the files were sent successfully or not. Please tell me.

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=74647

SecCenter::
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

Driver::
PAQXN
SUPLQB
TPGYOG
kudw

Collect::[8]
C:\Documents and Settings\William Osipoff\Local Settings\temp\PAQXN.exe
C:\Documents and Settings\William Osipoff\Local Settings\temp\SUPLQB.exe
C:\Documents and Settings\William Osipoff\Local Settings\temp\TPGYOG.exe
c:\windows\system32\drivers\jjogtba.sys

File::
c:\windows\system32\drivers\SET24E.tmp

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Borislav:

I followed the instructions and have attached the latest combofix log to this reply. Let me know what you want me to do next. I will hold off on installing the latest Windows updates (which I just got prompted to install after the combofix automatic reboot) until you let me know it is OK to install them.

Thanks again for your help.

Bill

I will collect and delete multiple files with this script. ComboFix will tell you whether the files were sent successfully or not. Please tell me.

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=74647

SecCenter::
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

Driver::
PAQXN
SUPLQB
TPGYOG
kudw

Collect::[8]
C:\Documents and Settings\William Osipoff\Local Settings\temp\PAQXN.exe
C:\Documents and Settings\William Osipoff\Local Settings\temp\SUPLQB.exe
C:\Documents and Settings\William Osipoff\Local Settings\temp\TPGYOG.exe
c:\windows\system32\drivers\jjogtba.sys

File::
c:\windows\system32\drivers\SET24E.tmp

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

ComboFix.txt

Link to post
Share on other sites

I tried to reply last night but the board was down - looks like it is up now. You should have the Combofix log from the last cleaning I posted in response #12. What do you want me to do now? I am not sure what you mean by "ComboFix will tell you whether the files were sent successfully or not. Please tell me." I didn't see any special messages from Combofix other than the log. My computer still seems infected.

Thanks again,

Bill

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Let me know how are things running now.

Link to post
Share on other sites

Please excuse my ignorance here, but is there supposed to be a file at the location c:\Qoobox\Quarantine\ already zipped or am I supposed to zip the contents of that folder? There are two folders and two files in the directory, none of them a zip file. :)

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
  6. Once you're ready, click the Send File button.

Let me know how are things running now.

Link to post
Share on other sites

Now, I see the problem. Thanks! :)

Please try this one:

Open Notepad and copy and paste the text in the code box below into it:

Driver::
BKRUEK
CI

File::
C:\Documents and Settings\William Osipoff\Local Settings\temp\BKRUEK.exe
C:\Documents and Settings\William Osipoff\Local Settings\temp\CI.exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Here is the combofix.txt file (attached - I think it is a little long to cut and paste it so I uploaded it instead - I hope that is OK).

I still see hard disk activity that should not be occurring. :)

Thanks again for your help. :)

ComboFix.txt

Now, I see the problem. Thanks! <img src="http://forums.malwarebytes.org/public/style_emoticons/<#EMO_DIR#>/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />

Please try this one:

Open Notepad and copy and paste the text in the code box below into it:

<!--c1--><div class='codetop'>CODE</div><div class='codemain'><!--ec1-->Driver::

BKRUEK

CI

File::

C:\Documents and Settings\William Osipoff\Local Settings\temp\BKRUEK.exe

C:\Documents and Settings\William Osipoff\Local Settings\temp\CI.exe<!--c2--></div><!--ec2-->

Save the file to your desktop and name it <b>CFScript.txt</b>

Then drag the <b>CFScript.txt</b> into the ComboFix.exe as shown in the screenshot below.

<img src="http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif" border="0" class="linked-image" />

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

<!--coloro:red--><span style="color:red"><!--/coloro--><b>Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.<!--colorc--></span><!--/colorc--></b>

Link to post
Share on other sites

OK, here you go. :)

ComboFix 11-02-11.01 - William Osipoff 02/12/2011 0:26.11.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1555 [GMT -5:00]

Running from: c:\documents and settings\William Osipoff\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\William Osipoff\Desktop\CFScript.txt

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::

"c:\documents and settings\William Osipoff\Local Settings\temp\BKRUEK.exe"

"c:\documents and settings\William Osipoff\Local Settings\temp\CI.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BKRUEK

-------\Legacy_CI

-------\Service_BKRUEK

-------\Service_CI

((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))

.

2011-02-10 00:13 . 2011-02-10 00:34 -------- d-----w- C:\Combo-Fix

2011-02-03 00:40 . 2011-02-03 01:06 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-02-03 00:40 . 2011-02-03 01:06 114243 ----a-w- c:\windows\system32\drivers\klin.dat

2011-02-03 00:39 . 2011-02-03 00:39 -------- d-----w- c:\program files\Kaspersky Lab

2011-02-03 00:39 . 2011-02-12 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab

2011-02-02 23:16 . 2011-02-02 23:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-02-01 00:30 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\2.tmp

2011-01-30 23:38 . 2011-02-03 00:29 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2011-01-28 17:12 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\5.tmp

2011-01-28 17:12 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\4.tmp

2011-01-28 17:12 . 2011-01-28 17:12 -------- d-----w- c:\program files\Sophos

2011-01-23 18:46 . 2011-01-23 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2011-01-23 14:34 . 2011-01-23 22:19 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-01-15 23:00 . 2011-01-15 23:00 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll

2011-01-15 22:59 . 2011-01-15 22:59 151776 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll

2011-01-15 22:59 . 2011-01-15 22:59 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

2011-01-15 18:19 . 2011-01-15 18:23 -------- d-----w- c:\documents and settings\Administrator

2011-01-14 18:16 . 2011-01-14 18:16 3584 ----a-r- c:\documents and settings\William Osipoff\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe

2011-01-14 18:16 . 2011-01-14 18:16 -------- d-----w- c:\program files\Windows Installer Clean Up

2011-01-14 18:12 . 2011-01-14 18:12 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-01-14 15:14 . 2011-01-14 15:14 -------- d-----w- c:\documents and settings\William Osipoff\Application Data\SUPERAntiSpyware.com

2011-01-14 15:14 . 2011-01-14 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-01-14 00:51 . 2008-07-30 01:33 446464 ----a-w- c:\windows\system32\nvunrm.exe

2011-01-14 00:51 . 2008-07-08 13:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-15 22:59 . 2006-07-11 22:35 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-01-06 23:50 . 2011-01-06 23:50 102400 ----a-w- c:\windows\RegBootClean.exe

2011-01-02 20:00 . 2007-09-23 23:27 60416 ----a-w- c:\windows\ALCFDRTM.VER

2010-12-20 23:09 . 2009-03-06 10:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2009-03-06 10:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-28 23:35 . 2007-09-23 23:35 194560 ----a-w- c:\windows\ASUS_Ai_Proactive_Screensaver (E).scr

2010-11-28 23:35 . 2007-09-23 23:35 606848 ----a-w- c:\windows\flashax.exe

2010-11-28 23:35 . 2007-09-23 23:35 12288 ----a-w- c:\windows\impborl.dll

2010-11-20 01:41 . 2010-01-17 20:38 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys

2010-11-18 18:12 . 2007-09-23 23:02 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-16 23:12 . 2010-11-16 23:12 0 ----a-w- c:\windows\system32\drivers\SET25A.tmp

2010-06-25 18:57 . 2010-06-25 18:57 158720 ----a-w- c:\program files\internet explorer\plugins\LV2010ActiveXControl.dll

2004-03-15 22:51 . 2004-03-15 22:51 114688 ----a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 14:36 . 2003-05-01 14:36 114688 ----a-w- c:\program files\internet explorer\plugins\LV7ActiveXControl.dll

2006-01-23 14:32 . 2006-01-23 14:32 131072 ----a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 15:48 . 2007-02-08 15:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-25 00:03 . 2007-07-25 00:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll

2008-12-10 18:50 . 2008-12-10 18:50 118784 ----a-w- c:\program files\internet explorer\plugins\LV86ActiveXControl.dll

2010-05-25 17:43 . 2010-05-25 17:43 158720 ----a-w- c:\program files\internet explorer\plugins\LV90ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NIRegistrationWizard"="c:\program files\National Instruments\Shared\RegistrationWizard\Bin\RegistrationWizard.exe" [2010-06-21 846520]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-07 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]

"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-03 365336]

"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2010-11-11 104712]

"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2005-08-04 3627008]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]

c:\documents and settings\William Osipoff\Start Menu\Programs\Startup\

X10 Communications Link.lnk - c:\program files\Home Control\X10BURST.EXE [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]

Spb Backup Sync.lnk - c:\program files\Spb Backup\SpbBackupSync.exe [2008-7-12 430080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-11-10 17:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]

2008-06-10 16:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

2007-01-09 02:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch PC Probe II]

2005-07-22 21:05 1901568 ----a-w- c:\program files\ASUS\PC Probe II\Probe2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]

2008-10-26 21:20 548864 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

2001-08-17 03:41 28738 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI Background Service]

2010-05-28 04:20 77824 ----a-w- c:\program files\National Instruments\Shared\Update Service\niupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\niDevMon]

2010-04-20 14:21 109712 ----a-w- c:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

2004-03-10 20:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2007-03-15 01:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-01-15 22:59 274608 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinMBR"=2 (0x2)

"MsMpSvc"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"TPGYOG"=3 (0x3)

"SUPLQB"=3 (0x3)

"rpcapd"=3 (0x3)

"RichVideo"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"PAQXN"=3 (0x3)

"ose"=3 (0x3)

"OpcEnum"=3 (0x3)

"nitsuu"=2 (0x2)

"NITaggerService"=2 (0x2)

"niSvcLoc"=2 (0x2)

"NiRioRpc"=3 (0x3)

"nipxirmu"=2 (0x2)

"nimDNSResponder"=2 (0x2)

"niLXIDiscovery"=2 (0x2)

"NILM License manager"=3 (0x3)

"NIDomainService"=2 (0x2)

"nidevldu"=2 (0x2)

"NIApplicationWebServer"=2 (0x2)

"ni488enumsvc"=2 (0x2)

"mxssvr"=2 (0x2)

"MDM"=2 (0x2)

"LVPrcSrv"=2 (0x2)

"lkTimeSync"=2 (0x2)

"lkClassAds"=2 (0x2)

"LkCitadelServer"=2 (0x2)

"LightScribeService"=2 (0x2)

"KvEnumSrv"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"IswSvc"=2 (0x2)

"idsvc"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"CI"=3 (0x3)

"btwdins"=2 (0x2)

"BKRUEK"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\\Program Files\\National Instruments\\Shared\\mDNS Responder\\nimdnsResponder.exe"=

"c:\\Program Files\\National Instruments\\Shared\\NI WebServer\\ApplicationWebServer.exe"=

"c:\\Program Files\\National Instruments\\Shared\\NI WebServer\\SystemWebServer.exe"=

"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\system32\\nipalsm.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [3/24/2010 12:27 PM 15448]

R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [6/21/2010 3:31 PM 58504]

R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [6/21/2010 3:31 PM 42136]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]

R1 spusbaudio;USB Microphone;c:\windows\system32\drivers\CA506AA.sys [8/26/2008 9:31 PM 39824]

R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [4/16/2007 3:40 PM 37376]

R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [4/16/2007 3:40 PM 21504]

R2 nicanpk;nicanpk;c:\windows\system32\drivers\nicanpkl.sys [6/11/2010 3:40 PM 11408]

R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [4/16/2007 5:04 PM 674304]

R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [4/16/2007 5:06 PM 50688]

R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [4/16/2007 3:41 PM 30208]

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [6/14/2010 1:55 PM 11416]

R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [4/16/2007 3:42 PM 111616]

R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [6/17/2010 2:43 PM 19608]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [6/23/2010 10:04 AM 11432]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]

R3 kcanv;Kvaser Virtual CAN Driver;c:\windows\system32\drivers\kcanv.sys [10/21/2009 5:41 PM 52016]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 11:06 AM 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]

R3 kvnetenum;Kvaser Network Enumerator;c:\windows\system32\drivers\kvnetenum.sys [10/21/2009 5:41 PM 26672]

R3 SPCA506AV;X10 VA11A Video Capture;c:\windows\system32\drivers\CA506AV.SYS [8/26/2008 9:31 PM 162096]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\WILLIA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\WILLIA~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\WILLIA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\WILLIA~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 ISWKL;ZoneAlarm ForceField ISWKL;\??\c:\program files\CheckPoint\ZAForceField\ISWKL.sys --> c:\program files\CheckPoint\ZAForceField\ISWKL.sys [?]

S3 cmuda2;Audio Advantage Micro Interface;c:\windows\system32\drivers\cmuda2.sys [11/21/2010 8:59 PM 705536]

S3 flash;flash;\??\c:\documents and settings\William Osipoff\My Documents\Download\PC Repairs\serenity\BIOS_v1.10_DOS_WinX86X64\x86\flash.sys --> c:\documents and settings\William Osipoff\My Documents\Download\PC Repairs\serenity\BIOS_v1.10_DOS_WinX86X64\x86\flash.sys [?]

S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [12/5/2008 4:21 PM 20104]

S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2.tmp [1/31/2011 7:30 PM 6144]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [6/21/2010 3:31 PM 26192]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [6/21/2010 3:31 PM 11344]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [6/21/2010 3:31 PM 22608]

S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [12/15/2009 1:52 PM 17480]

S3 nicanpkw;NI-CAN Driver;c:\windows\system32\drivers\nicanpkw.sys [9/11/2009 6:15 PM 11336]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [7/17/2009 2:46 PM 11352]

S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [6/15/2010 3:53 PM 11440]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [6/15/2010 3:47 PM 11408]

S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [6/11/2010 2:30 PM 11432]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2/25/2010 12:52 PM 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2/6/2010 2:54 PM 11344]

S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [5/27/2009 2:58 PM 11360]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [6/15/2010 3:52 PM 11408]

S3 niemrkw;niemrkw;c:\windows\system32\DRIVERS\niemrkw.sys --> c:\windows\system32\DRIVERS\niemrkw.sys [?]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [6/15/2010 5:00 PM 11408]

S3 nigplk;nigplk;c:\windows\system32\drivers\nigplkl.sys [6/17/2009 1:18 PM 11640]

S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [4/8/2009 5:01 PM 11352]

S3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [8/24/2009 3:08 PM 11360]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2/2/2010 2:11 AM 11904]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [7/23/2009 3:50 PM 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [7/23/2009 3:50 PM 151683]

S3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2/1/2010 11:11 PM 11872]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2/1/2010 11:24 PM 11880]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2/5/2010 5:18 PM 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [6/2/2010 6:44 PM 11968]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [6/2/2010 6:45 PM 11968]

S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [6/11/2009 2:49 PM 11392]

S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [6/14/2010 2:30 PM 21144]

S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [6/15/2010 3:51 PM 11400]

S3 nirfsa2k;nirfsa2k;c:\windows\system32\drivers\niRFSA2kl.sys [6/1/2009 11:31 AM 11328]

S3 niRFSGk;niRFSGk;c:\windows\system32\drivers\niRFSGkl.sys [4/27/2009 10:35 PM 11328]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [7/14/2009 1:58 PM 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2/10/2010 3:27 PM 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2/5/2010 5:36 PM 11344]

S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [6/18/2009 1:50 AM 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [7/14/2009 1:58 PM 11376]

S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [6/26/2009 12:01 PM 11352]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [6/15/2010 5:00 PM 11408]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [1/5/2009 9:19 AM 11312]

S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [5/3/2010 12:22 AM 11400]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [8/31/2009 2:15 PM 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [9/1/2009 9:53 AM 11336]

S3 niSynck;niSynck;c:\windows\system32\drivers\niSynckl.sys [6/22/2010 6:00 PM 11408]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2/6/2010 5:58 AM 11360]

S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [4/10/2009 7:20 AM 11328]

S3 nitsuk;nitsuk;c:\windows\system32\drivers\nitsukl.sys [5/5/2010 1:34 AM 11424]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [6/15/2010 3:47 PM 11432]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [6/23/2010 10:03 AM 11432]

S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [8/14/2009 7:29 AM 28256]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [6/15/2010 5:01 PM 11408]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [6/15/2010 3:51 PM 11408]

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [6/27/2008 1:39 AM 332928]

S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\DRIVERS\usb6xxxkw.sys --> c:\windows\system32\DRIVERS\usb6xxxkw.sys [?]

S3 uti2njex;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti2njex.sys --> c:\windows\system32\Drivers\uti2njex.sys [?]

S3 VPCASp50;VPCASp50 NDIS Protocol Driver;c:\windows\system32\drivers\VPCASp50.sys [3/8/2010 7:17 PM 27072]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

S3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [11/21/2010 12:33 PM 7040]

S4 gupdate1c98f9c655555b2;Google Update Service (gupdate1c98f9c655555b2);c:\program files\Google\Update\GoogleUpdate.exe [2/15/2009 1:36 PM 133104]

S4 IswSvc;ZoneAlarm ForceField IswSvc;"c:\program files\CheckPoint\ZAForceField\IswSvc.exe" --> c:\program files\CheckPoint\ZAForceField\IswSvc.exe [?]

S4 KvEnumSrv;Kvaser Network Enumerator Service;c:\program files\Kvaser\Drivers\KvEnumSrv.exe [10/21/2009 5:42 PM 72208]

S4 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [3/24/2010 3:23 PM 12696]

S4 NIApplicationWebServer;NI Application Web Server;c:\program files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [6/22/2010 5:02 PM 47776]

S4 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [3/24/2010 3:23 PM 12696]

S4 niLXIDiscovery;National Instruments LXI Discovery Service;c:\program files\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [6/23/2010 1:14 PM 131776]

S4 nimDNSResponder;National Instruments mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [6/23/2010 4:21 PM 193712]

S4 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [6/26/2010 12:06 PM 31880]

S4 nitsuu;nitsuu;c:\windows\system32\nipalsm.exe [3/24/2010 3:23 PM 12696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2008-08-22 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2011-02-12 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-436374069-1563985344-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

2011-01-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-436374069-1563985344-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride =

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: nvidia.com\www

FF - ProfilePath - c:\documents and settings\William Osipoff\Application Data\Mozilla\Firefox\Profiles\raabsthh.Bill\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 4.0 Beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-12 08:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\2.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1172)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

.

**************************************************************************

.

Completion time: 2011-02-12 08:24:54 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-12 13:24

ComboFix2.txt 2011-02-10 00:34

ComboFix3.txt 2011-02-09 00:01

ComboFix4.txt 2011-02-08 00:22

ComboFix5.txt 2011-02-12 05:23

Pre-Run: 58,589,184,000 bytes free

Post-Run: 58,426,789,888 bytes free

- - End Of File - - 5866ECCF27D21F45CDF8DC10AC813448

Please post your logs, don't attach them.

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Here are the results of the ESET scan: :)

I am still seeing LED action...what's next? :welcome:

Thanks again for your help.

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=88f91c46f24a8a43bd0759dea923785f

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-02-13 07:50:45

# local_time=2011-02-13 02:50:45 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 1607649 1607649 0 0

# compatibility_mode=1280 16777191 100 0 778179 778179 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=414284

# found=12

# cleaned=12

# scan_time=28924

C:\Documents and Settings\William Osipoff\DoctorWeb\Quarantine\A0239233.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\William Osipoff\DoctorWeb\Quarantine\Install_AIM 5_9.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\William Osipoff\DoctorWeb\Quarantine\Install_AIM_5_9_3700.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\William Osipoff\DoctorWeb\Quarantine\Install_AIM_5_9_3701.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\William Osipoff\DoctorWeb\Quarantine\Install_AIM_5_9_3702.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\William Osipoff\My Documents\Download\PC Repairs\ComboFix.exe probably a variant of Win32/Agent.EDDXFNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2C98B01E-C04C-42CF-AEBB-F2F8291C9584}\RP26\A0020914.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2C98B01E-C04C-42CF-AEBB-F2F8291C9584}\RP26\A0020915.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2C98B01E-C04C-42CF-AEBB-F2F8291C9584}\RP26\A0020916.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2C98B01E-C04C-42CF-AEBB-F2F8291C9584}\RP26\A0020917.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{2C98B01E-C04C-42CF-AEBB-F2F8291C9584}\RP26\A0020918.exe Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C

I:\green usb stick\tools\ComboFix.exe probably a variant of Win32/Agent.EDDXFNZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

I downloaded and ran cpes_clean.exe, but as soon as I ran it I received the error "cpes_clean error caught an exception, GetLastError() = 0)". :D I don't know whether I told you this before, but I had a problem (before I started this thread) removing Zonealarm Extreme and I ended up manually erasing a lot of files in safe mode to get rid of almost all traces of Zonealarm. Because of that previous experience I know where to find the log file when this cpes_clean crash occurs (I used a previous log file last month to remove as much of Zonealarm as I could find). I found the "cpes_clean_log_20110213115246.log" in the folder C:\documents and settings\William Osipoff\Local Setting\temp and am posting the contents for you here. Needless to say, once the error occurred, no files were removed and the reboot was not called for. :P

Since Zonealarm is still apparently tied into the system somehow (could the suspected rootkit be somehow using it? :lol: ) I did not run dds as it seemed to be premature.

Here are the (cpes_clean_log_20110213115246.log) file contents:

VC 9.0 runtime libraries are already installed

Determined cleanup state. State = 1

Load vsutil

ToolInit()

vsutil is loaded.

20110213115247 C:\Documents and Settings\William Osipoff\Desktop\malwarebytes help\cpes_clean.exe: cleaning Check Point Endpoint Security client

20110213115247 This version of C:\Documents and Settings\William Osipoff\Desktop\malwarebytes help\cpes_clean.exe was built on Dec 21 2009 at 19:40:38

20110213115247 command line: "C:\Documents and Settings\William Osipoff\Desktop\malwarebytes help\cpes_clean.exe"

20110213115247 initialDirectory: C:\Documents and Settings\William Osipoff\Desktop\malwarebytes help

20110213115247 Cleaning up the client.

20110213115247 CPDir32 = C:\Program Files\CheckPoint\

20110213115247 CPDir64 = C:\Program Files\CheckPoint\

20110213115247 Creating a list of items to look for and cleanup.

Client executable files does not exist.

Product mode is 16|8|5|1, so look for ForceField directories.

No Force install path in registry

20110213115247 Looking for the following directories to remove.

C:\Program Files\CheckPoint\Endpoint Security\ -- is not installed.

C:\Program Files\CheckPoint\Integrity Client\ -- is not installed.

C:\Program Files\Zone Labs\Integrity Client\ -- is not installed.

C:\Program Files\Zone Labs\ -- is not installed.

C:\Documents and Settings\All Users\Start Menu\Programs\Check Point Endpoint Security -- is not installed.

C:\Documents and Settings\All Users\Start Menu\Programs\Check Point Integrity Client -- is not installed.

C:\Documents and Settings\All Users\Start Menu\Programs\ZoneAlarm -- is not installed.

C:\Program Files\Common Files\Check Point\CPInfo -- is not installed.

C:\Program Files\Common Files\Check Point\Help -- is not installed.

C:\Program Files\Common Files\Check Point\UIFramework -- is not installed.

C:\WINDOWS\system32\ZoneLabs\ -- is not installed.

C:\WINDOWS\Internet Logs -- exists.

C:\Program Files\CheckPoint\ZAForceField -- is not installed.

C:\Program Files\CheckPoint\ZoneAlarmForceField -- is not installed.

C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\#ISW.FS# -- is not installed.

C:\Documents and Settings\William Osipoff\Application Data\#ISW.FS# -- is not installed.

C:\Documents and Settings\William Osipoff\Application Data\Checkpoint\ZAForceField -- is not installed.

C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\IswTmp -- is not installed.

C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\IswDmp -- is not installed.

C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\IswDownloads -- is not installed.

C:\WINDOWS\TEMP\IswTmp -- is not installed.

C:\Program Files\CheckPoint\ -- is not installed.

C:\Program Files\CheckPoint\ -- is not installed.

C:\Program Files\Common Files\Check Point -- is not installed.

20110213115247 Looking for specific files in system32

C:\WINDOWS\system32\vsdatant.sys -- is not installed.

C:\WINDOWS\system32\icslta.dll -- is not installed.

C:\WINDOWS\system32\vsconfig.xml -- is not installed.

C:\WINDOWS\system32\vsdata.dll -- is not installed.

C:\WINDOWS\system32\vsinit.dll -- is not installed.

C:\WINDOWS\system32\vsmonapi.dll -- is not installed.

C:\WINDOWS\system32\vspubapi.dll -- is not installed.

C:\WINDOWS\system32\vsutil.dll -- is not installed.

C:\WINDOWS\system32\vswmi.dll -- is not installed.

C:\WINDOWS\system32\vsxml.dll -- is not installed.

C:\WINDOWS\system32\zlcomm.dll -- is not installed.

C:\WINDOWS\system32\ZLCommDB.dll -- is not installed.

C:\WINDOWS\system32\zpeng24.dll -- is not installed.

C:\WINDOWS\system32\zpeng25.dll -- is not installed.

C:\WINDOWS\system32\vsregexp.dll -- is not installed.

C:\WINDOWS\system32\..\zllsputility.exe -- is not installed.

C:\WINDOWS\system32\drivers\klick.sys -- is not installed.

C:\WINDOWS\system32\drivers\klick.dat -- exists.

C:\WINDOWS\system32\drivers\klin.sys -- is not installed.

C:\WINDOWS\system32\drivers\klin.dat -- exists.

C:\WINDOWS\system32\drivers\fidbox.dat -- is not installed.

C:\WINDOWS\system32\drivers\fidbox.idx -- is not installed.

C:\WINDOWS\system32\drivers\fidbox2.dat -- is not installed.

C:\WINDOWS\system32\drivers\fidbox2.idx -- is not installed.

C:\WINDOWS\system32\ibfl.dat -- is not installed.

C:\WINDOWS\system32\ikfl.dat -- is not installed.

C:\WINDOWS\system32\pdfl.dat -- is not installed.

C:\WINDOWS\system32\vsdatant.sys -- is not installed.

C:\WINDOWS\system32\vsconfig.xml

C:\Documents and Settings\William Osipoff\Desktop\ZoneAlarm Security.lnk

C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk

20110213115247 Looking for registry keys to remove.

Look for 32 regkeys with a 32 bit view

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsmon -- is not installed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant -- is not installed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsdatant7 -- is not installed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\system\vsdatant -- is not installed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\44 -- is not installed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srescan -- is not installed.

HKEY_CLASSES_ROOT\CLSID\{D9872D13-7651-4471-9EEE-F0A00218BEBB} -- is not installed.

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\ZLAVShExt -- is not installed.

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZLAVShExt -- is not installed.

HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt.1 -- is not installed.

HKEY_CLASSES_ROOT\Zlavscan.ZLAVShExt -- is not installed.

HKEY_CLASSES_ROOT\zamailsafe -- is not installed.

HKEY_LOCAL_MACHINE\Software\classes\zamailsafe -- is not installed.

HKEY_CURRENT_USER\Software\Zone Labs -- is not installed.

HKEY_CURRENT_USER\Software\Checkpoint -- is not installed.

HKEY_CURRENT_USER\Software\MailFrontier -- is not installed.

HKEY_LOCAL_MACHINE\Software\Zone Labs\ZoneAlarm -- is not installed.

HKEY_LOCAL_MACHINE\Software\KasperskyLab -- exists.

HKEY_LOCAL_MACHINE\Software\CheckPoint\ZoneAlarm -- is not installed.

Caught an unknown exception: caught an exception, GetLastError() = 0

Msg(caught an exception, GetLastError() = 0,cpes_clean error,262160)

Set current directory back to: C:\Documents and Settings\William Osipoff\Desktop\malwarebytes help

Load string 107 = A restart is required to complete the removal

of Endpoint Security. Click OK to restart now.

Load string 108 = Check Point Endpoint Security Removal

Remove temp directory: C:\DOCUME~1\WILLIA~1\LOCALS~1\Temp\cpes_clean_temp20110213115246

See if we should reboot. returnValue = 1, bReboot = 1

Let's clean several leftovers from ZoneAlarm with their own uninstaller:

http://download.zonealarm.com/bin/free/support/cpes_clean.exe

Next, please post a new fresh DDS log file.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.