Jump to content

Recommended Posts

Hey all,

I am running Windows XP Home Edition. As of yesterday, I noticed that my Google.com search results were getting redirected to new pages without modifying the address in the address bar. Some of the titles of the sites appeared to be "SpywareSecurityProtection.com," "validClick," "4dayaweek.com," and "ForLess.com." If I directly type an address into the address bar, then this rerouting does not occur.

Logically, I started pulling up the anti-spyware/malware programs and HijackThis. HijackThis did not open and posted an error message saying, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I was running the 2.0.2 version of HijackThis so that I downloaded the newer version and I got the same response.

I have Spybot - Search & Destroy and tried running that next. It opened, I was able to update it, and the scan showed "Microsoft.Windows.RedirectedHosts." I fixed this file and rebooted, but I was still having the same issues.

I next tried running the On Demand Scan from McAfee and that will not even open and the On Access Scan is permanently disabled despite me trying to enable it.

I opened my copy of Malwarebytes and I am able to update it, but the scanner disappears and will not reopen after about 15 seconds. When I try opening the program again, I see "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Despite this, Malwarebytes appears to be running in the background and shows up in my Taskbar.

Ad-Aware is having similar issues. The message I get when trying to open that program is "System error: 1810 has occurred. Description: Service is not online. Application terminates."

I downloaded Windows Defender and that application will not open. The error message I get is "Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually." Obviously, restarting did not help this problem.

The next program I downloaded and tried was SUPER Anti-Spyware. The error message I get for this one is "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I tried running this programs in Safe Mode to no avail.

I was looking at some similar problems on the threads here and I came across exehelper in hopes of getting the anti-spyware/malware programs to run. I ran the program and rebooted, but that did not seem to help. Here is my log:

exeHelper by Raktor

Build 20100414

Run at 15:34:41 on 08/31/11

Now searching...

Checking for numerical processes...

Killed numerical process 2021518833:236094087

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

As you can see, the 2021518833:236094087 process (uses a constant 1,892 K of memory) bothers me in my Task Manager, but I cannot get the program to stop running, nor am I able to find/delete it manually.

In summary, Google.com searches reroute to other websites without changing the address in the address bar; Malwarebytes, HijackThis, SAS, Ad-Aware, McAfee, and Windows Defender all will not open or will not allow me to do a system scan; and Spybot - Search & Destroy runs the scanner but does not detect anything that fixes the problem.

According to your posting guidelines, I ran the Defogger (which worked fine), and the dds.scr (log below), but the GMER Rootkit Scanner disappears about 30 seconds after I start the scan and I am unable to reopen it unless I download a new, randomly generated .exe file.

Can anyone help me with what I should do next?

Thanks!

Best,

Maelski

Here is the dds.txt log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by Me at 20:43:31 on 2011-08-31

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1095 [GMT -4:00]

.

AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\2021518833:236094087.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE

mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

StartupFolder: c:\docume~1\ryanfr~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgets.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

uPolicies-explorer: NoWindowsUpdate = 0 (0x0)

uPolicies-system: NoDispAppearancePage = 0 (0x0)

uPolicies-system: NoColorChoice = 0 (0x0)

uPolicies-system: NoSizeChoice = 0 (0x0)

uPolicies-system: NoVisualStyleChoice = 0 (0x0)

uPolicies-system: NoDispSettingsPage = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 68.87.71.230 68.87.73.246

TCP: Interfaces\{4D3882EF-677F-4FC3-ADC7-C221D961E4E2} : DhcpNameServer = 68.87.71.230 68.87.73.246

TCP: Interfaces\{F6BC5305-F669-451C-BC20-EC2879F79CE1} : DhcpNameServer = 68.87.71.230 68.87.73.246

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Trend Micro Anti-Spyware Shell Extension: {03a80b1d-5c6a-42c2-9dfb-81b6005d8023} - c:\program files\trend micro\tmas\sshook.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\ryan fredericks\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll

FF - plugin: c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\progra~1\mozill~1\plugins\NPSWF32.dll

FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\mozilla firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash

.

---- FIREFOX POLICIES ----

user_pref(security.warn_viewing_mixed,false);

user_pref(security.warn_viewing_mixed.show_once,false);

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

user_pref(security.warn_submit_insecure,false);

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-11-17 611664]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-31 366640]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-17 104000]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-5 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-31 22712]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-17 72264]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-17 168776]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-6-10 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-6-10 226304]

S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-17 34152]

S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [2010-7-19 103424]

S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [2010-7-19 103424]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]

S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-17 1119888]

.

=============== File Associations ===============

.

regfile=regedit.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-09-01 00:15:08 -------- d-----w- C:\TDSSKiller_Quarantine

2011-08-31 23:52:01 43408 --sha-w- c:\windows\system32\c_83943.nl_

2011-08-31 20:56:49 840704 ----a-w- c:\documents and settings\all users\application data\defender.exe

2011-08-31 20:13:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-31 20:13:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 20:13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-31 17:44:49 -------- d-----w- c:\documents and settings\ryan fredericks\application data\SUPERAntiSpyware.com

2011-08-31 17:44:32 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 17:44:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-08-31 17:14:47 -------- d-----w- C:\VundoFix Backups

2011-08-31 16:53:01 7152464 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll

2011-08-31 16:53:01 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-30 22:49:18 388096 ----a-r- c:\documents and settings\ryan fredericks\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-30 20:42:45 -------- d-----w- C:\spoolerlogs

2011-08-30 20:31:04 4194304 ----a-w- c:\windows\system32\wxaetreo.dll

2011-08-30 20:30:44 -------- d-----w- c:\documents and settings\ryan fredericks\application data\Remote

2011-08-25 19:24:02 -------- d-----w- c:\documents and settings\ryan fredericks\application data\DDMSettings

2011-08-15 11:10:46 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-09-01 00:41:05 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp

2011-09-01 00:24:50 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-01 00:16:08 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-31 21:17:07 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-31 17:32:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-08-30 20:46:12 143428 ----a-w- c:\windows\system32\nvsvc32.exe

2011-08-16 22:36:04 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 20:50:47.28 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi screen317,

Thanks for helping. Attached is the ComboFix.txt.

Here is the DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by Ryan Fredericks at 23:36:43 on 2011-09-03

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.777 [GMT -4:00]

.

AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Logitech\G-series Software\LGDCore.exe

C:\Program Files\Logitech\G-series Software\LCDMon.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE

mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\ryanfr~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgets.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 68.87.71.230 68.87.73.246

TCP: Interfaces\{4D3882EF-677F-4FC3-ADC7-C221D961E4E2} : DhcpNameServer = 68.87.71.230 68.87.73.246

TCP: Interfaces\{F6BC5305-F669-451C-BC20-EC2879F79CE1} : DhcpNameServer = 68.87.71.230 68.87.73.246

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\ryan fredericks\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll

FF - plugin: c:\documents and settings\ryan fredericks\application data\mozilla\firefox\profiles\uh4vz55x.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\mozilla firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\ryan fredericks\application data\idm\bin\flash

.

---- FIREFOX POLICIES ----

user_pref(security.warn_viewing_mixed,false);

user_pref(security.warn_viewing_mixed.show_once,false);

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

user_pref(security.warn_submit_insecure,false);

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-11-17 611664]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-31 366640]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-17 104000]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 139264]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-5 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-31 22712]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-17 72264]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-17 34152]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-17 168776]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-6-10 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-6-10 226304]

S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [2010-7-19 103424]

S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [2010-7-19 103424]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]

S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-17 1119888]

.

=============== Created Last 30 ================

.

2011-09-04 02:50:03 -------- d-sha-r- C:\cmdcons

2011-09-04 02:43:55 98816 ----a-w- c:\windows\sed.exe

2011-09-04 02:43:55 518144 ----a-w- c:\windows\SWREG.exe

2011-09-04 02:43:55 256000 ----a-w- c:\windows\PEV.exe

2011-09-04 02:43:55 208896 ----a-w- c:\windows\MBR.exe

2011-09-01 19:33:35 -------- d-----w- c:\program files\ESET

2011-09-01 00:15:08 -------- d-----w- C:\TDSSKiller_Quarantine

2011-08-31 23:52:01 43408 --sha-w- c:\windows\system32\c_83943.nl_

2011-08-31 20:13:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-31 20:13:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 20:13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-31 17:44:49 -------- d-----w- c:\documents and settings\ryan fredericks\application data\SUPERAntiSpyware.com

2011-08-31 17:44:32 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 17:44:32 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-08-31 17:32:52 951291 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\remregfix.reg

2011-08-31 17:32:52 896 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\databasepath.reg

2011-08-31 17:32:52 890 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\Remove-itRestorePoint.vbs

2011-08-31 17:32:52 5228 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\nfig.reg

2011-08-31 17:32:52 4994 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\s.reg

2011-08-31 17:32:52 4512 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\hpregfix.reg

2011-08-31 17:32:52 3008 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\bgregfix.reg

2011-08-31 17:32:52 2600 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\exefix.reg

2011-08-31 17:32:52 18308 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\IEDef.reg

2011-08-31 17:32:52 1754 ----a-w- c:\documents and settings\ryan fredericks\local settings\application data\regf.reg

2011-08-31 17:14:47 -------- d-----w- C:\VundoFix Backups

2011-08-31 16:53:01 7152464 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\updates\mpengine.dll

2011-08-31 16:53:01 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-30 22:49:18 388096 ----a-r- c:\documents and settings\ryan fredericks\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-08-30 22:24:48 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-30 20:42:45 -------- d-----w- C:\spoolerlogs

2011-08-30 20:31:04 4194304 ----a-w- c:\windows\system32\wxaetreo.dll

2011-08-30 20:30:44 -------- d-----w- c:\documents and settings\ryan fredericks\application data\Remote

2011-08-25 19:24:02 -------- d-----w- c:\documents and settings\ryan fredericks\application data\DDMSettings

2011-08-15 11:10:46 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-09-01 00:41:05 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp

2011-09-01 00:24:50 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-01 00:16:08 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-31 21:17:07 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-31 17:32:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-08-30 20:46:12 143428 ----a-w- c:\windows\system32\nvsvc32.exe

2011-08-16 22:36:04 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 23:42:44.95 ===============

Link to post
Share on other sites

Ah- my apologies. I believe I forgot to click the "Attach This File" button. I attached it again, but I also pasted it to make sure that you get it. Thanks!

ComboFix 11-09-03.01 - Ryan Fredericks 09/03/2011 23:02:48.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1374 [GMT -4:00]

Running from: c:\documents and settings\Ryan Fredericks\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Created a new restore point

* Resident AV is active

.

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini

c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll

c:\documents and settings\All Users\Application Data\h8srtmainqt.dll

c:\documents and settings\All Users\Application Data\sysReserve.ini

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini

c:\documents and settings\Amy\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini

c:\documents and settings\LocalService\Application Data\6ccb.log

c:\documents and settings\LocalService\Application Data\LocalAccountAuthority.bat

c:\documents and settings\LocalService\Application Data\Plug.bat

c:\documents and settings\NetworkService\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\NetworkService\Local Settings\Application Data\ApplicationHistory\mswmccds.exe.5bdff540.ini

c:\documents and settings\Ryan Fredericks\Application Data\6ccb.log

c:\documents and settings\Ryan Fredericks\Application Data\Remote\mnj.dat

c:\documents and settings\Ryan Fredericks\Application Data\Remote\owlctx

c:\documents and settings\Ryan Fredericks\Application Data\Remote\srjmh47_shrd

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\HPQDocViewer.exe.100bbc94.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\mswmc.exe.ed1fcd7a.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\VSC.exe.7b5a1892.ini.inuse

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\beep.sys

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\scan.exe

c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\tskill.exe

c:\documents and settings\Ryan Fredericks\WINDOWS

C:\Install.exe

c:\windows\$NtUninstallKB29546$

c:\windows\$NtUninstallKB29546$\1828321174

c:\windows\$NtUninstallKB29546$\4058873208\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

c:\windows\$NtUninstallKB29546$\4058873208\click.tlb

c:\windows\$NtUninstallKB29546$\4058873208\L\wxaetreo

c:\windows\$NtUninstallKB29546$\4058873208\loader.tlb

c:\windows\$NtUninstallKB29546$\4058873208\U\@00000001

c:\windows\$NtUninstallKB29546$\4058873208\U\@000000c0

c:\windows\$NtUninstallKB29546$\4058873208\U\@000000cb

c:\windows\$NtUninstallKB29546$\4058873208\U\@000000cf

c:\windows\$NtUninstallKB29546$\4058873208\U\@80000000

c:\windows\$NtUninstallKB29546$\4058873208\U\@800000c0

c:\windows\$NtUninstallKB29546$\4058873208\U\@800000cb

c:\windows\$NtUninstallKB29546$\4058873208\U\@800000cf

c:\windows\assembly\GAC_MSIL\desktop.ini

c:\windows\bwUnin-7.2.0.137-8876480SL.exe

c:\windows\bwUnin-7.2.0.157-8876480SL.exe

c:\windows\bwUnin-8.1.1.50-8876480SL.exe

c:\windows\dasetup.log

c:\windows\kb835221.exe

c:\windows\ST6UNST.000

c:\windows\system32\comct332.ocx

c:\windows\windows-kb870669-x86-enu.exe

c:\windows\windowsinstaller-kb893803-v2-x86.exe

c:\windows\windowsxp-kb307154-x86-enu.exe

c:\windows\windowsxp-kb873339-x86-enu.exe

c:\windows\windowsxp-kb884018-x86-enu.exe

c:\windows\windowsxp-kb884575-x86-enu.exe

c:\windows\windowsxp-kb885250-x86-enu.exe

c:\windows\windowsxp-kb885835-x86-enu.exe

c:\windows\windowsxp-kb885836-x86-enu.exe

c:\windows\windowsxp-kb886185-x86-enu.exe

c:\windows\windowsxp-kb887472-x86-enu.exe

c:\windows\windowsxp-kb887742-x86-enu.exe

c:\windows\windowsxp-kb888113-x86-enu.exe

c:\windows\windowsxp-kb888239-x86-enu.exe

c:\windows\windowsxp-kb888302-x86-enu.exe

c:\windows\windowsxp-kb888321-x86-enu.exe

c:\windows\windowsxp-kb890046-x86-enu.exe

c:\windows\windowsxp-kb890859-x86-enu.exe

c:\windows\windowsxp-kb891781-x86-enu.exe

c:\windows\WindowsXP-KB893056-x86-ENU.exe

c:\windows\windowsxp-kb893066-v2-x86-enu.exe

c:\windows\windowsxp-kb893357-v2-x86-enu.exe

c:\windows\windowsxp-kb893756-x86-enu.exe

c:\windows\windowsxp-kb894391-x86-enu.exe

c:\windows\windowsxp-kb896358-x86-enu.exe

c:\windows\windowsxp-kb896422-x86-enu.exe

c:\windows\windowsxp-kb896423-x86-enu.exe

c:\windows\windowsxp-kb896424-x86-enu.exe

c:\windows\windowsxp-kb896428-x86-enu.exe

c:\windows\windowsxp-kb896688-x86-enu.exe

c:\windows\windowsxp-kb896727-x86-enu.exe

c:\windows\windowsxp-kb899587-x86-enu.exe

c:\windows\windowsxp-kb899588-x86-enu.exe

c:\windows\windowsxp-kb899589-x86-enu.exe

c:\windows\windowsxp-kb899591-x86-enu.exe

c:\windows\windowsxp-kb900466-x86-enu.exe

c:\windows\windowsxp-kb900725-x86-enu.exe

c:\windows\windowsxp-kb901017-x86-enu.exe

c:\windows\windowsxp-kb901214-x86-enu.exe

c:\windows\windowsxp-kb902400-x86-enu.exe

c:\windows\windowsxp-kb903235-x86-enu.exe

c:\windows\windowsxp-kb904706-x86-enu.exe

c:\windows\windowsxp-kb905414-x86-enu.exe

c:\windows\windowsxp-kb905749-x86-enu.exe

c:\windows\windowsxp-kb905915-x86-enu.exe

c:\windows\windowsxp-kb908519-x86-enu.exe

c:\windows\windowsxp-kb908531-x86-enu.exe

c:\windows\windowsxp-kb909667-x86-enu.exe

c:\windows\windowsxp-kb910728-x86-enu.exe

c:\windows\windowsxp-kb911562-x86-enu.exe

c:\windows\windowsxp-kb912812-x86-enu.exe

c:\windows\windowsxp-kb912919-x86-enu.exe

c:\windows\windowsxp-kb912945-x86-enu.exe

.

c:\windows\system32\drivers\tosrfcom.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_f1ed7d78

.

.

((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))

.

.

2011-09-01 19:33 . 2011-09-01 19:33 -------- d-----w- c:\program files\ESET

2011-09-01 00:15 . 2011-09-01 00:15 -------- d-----w- C:\TDSSKiller_Quarantine

2011-08-31 23:52 . 2011-09-01 00:26 43408 --sha-w- c:\windows\system32\c_83943.nl_

2011-08-31 20:13 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-31 20:13 . 2011-08-31 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-31 20:13 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\SUPERAntiSpyware.com

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-08-31 17:32 . 2011-08-31 17:32 951291 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\remregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 896 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\databasepath.reg

2011-08-31 17:32 . 2011-08-31 17:32 890 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\Remove-itRestorePoint.vbs

2011-08-31 17:32 . 2011-08-31 17:32 5228 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\nfig.reg

2011-08-31 17:32 . 2011-08-31 17:32 4994 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\s.reg

2011-08-31 17:32 . 2011-08-31 17:32 4512 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\hpregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 3008 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\bgregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 2600 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\exefix.reg

2011-08-31 17:32 . 2011-08-31 17:32 18308 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\IEDef.reg

2011-08-31 17:32 . 2011-08-31 17:32 1754 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\regf.reg

2011-08-31 17:14 . 2011-08-31 17:14 -------- d-----w- C:\VundoFix Backups

2011-08-31 16:53 . 2011-08-16 12:48 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll

2011-08-31 16:53 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-31 16:51 . 2011-08-31 16:51 -------- d-----w- c:\program files\Windows Defender

2011-08-30 22:24 . 2011-08-30 22:24 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-30 20:42 . 2011-08-30 20:42 -------- d-----w- C:\spoolerlogs

2011-08-30 20:31 . 2011-08-30 20:31 4194304 ----a-w- c:\windows\system32\wxaetreo.dll

2011-08-30 20:30 . 2011-09-04 03:14 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\Remote

2011-08-25 19:24 . 2011-08-25 19:24 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\DDMSettings

2011-08-15 11:10 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-01 00:41 . 2006-06-11 00:02 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp

2011-09-01 00:24 . 2006-06-10 23:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-01 00:16 . 2004-08-03 23:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-31 21:17 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-31 17:32 . 2006-06-10 23:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-08-30 22:49 . 2011-08-30 22:49 388096 ----a-r- c:\documents and settings\Ryan Fredericks\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-30 20:46 . 2006-06-10 23:52 143428 ----a-w- c:\windows\system32\nvsvc32.exe

2011-08-16 22:36 . 2011-05-25 22:20 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29 . 2006-06-10 23:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2006-06-10 23:52 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2006-06-11 00:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18 . 2009-07-04 16:08 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18 . 2006-06-10 23:52 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18 . 2006-06-10 23:52 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58 . 2006-06-10 23:52 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2006-06-10 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]

"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-25 273544]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

c:\documents and settings\Ryan Fredericks\Start Menu\Programs\Startup\

Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-13 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-8-25 528384]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk

backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2010-09-22 22:11 640440 -c--a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2011-06-08 00:54 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 11:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2004-11-18 03:47 118784 -c--a-w- c:\program files\Apoint\Apoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-03-17 01:58 47392 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]

2006-03-15 17:55 40960 -c--a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]

2009-08-04 08:49 318096 -c--a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]

2009-09-24 21:45 1150016 -c--a-w- c:\program files\NBC Direct\DirectPlayerCore.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]

2005-03-16 18:22 204800 -c--a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-04-20 17:10 50792 -c--a-w- c:\program files\Common Files\AOL\1150570943\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-12-15 15:18 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2006-02-21 23:59 143360 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2004-02-20 21:12 32768 -c--a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-03-20 22:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

2007-02-13 15:42 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2005-07-23 03:25 28160 -c--a-w- c:\windows\KHALMNPR.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2005-07-19 14:05 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-05-08 14:50 7561216 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-05-08 14:50 86016 -c--a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 20:12 26192168 -c--a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]

2006-01-26 09:28 212992 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-24 23:53 1242448 -c--a-w- c:\progra~1\Valve\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 15:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]

2005-11-24 18:47 167936 -c--a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]

2003-04-20 04:08 28672 -c--a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 04:36 151552 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]

2005-12-01 09:20 69632 -c--a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]

2005-06-13 22:42 258048 -c--a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

2011-08-30 20:47 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]

2006-11-01 18:19 145072 -c--a-w- c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NSCService"=3 (0x3)

"navapsvc"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccProxy"=2 (0x2)

"ccISPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

"iPodService"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"ose"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"Image Converter video recording monitor for VAIO Entertainment"=3 (0x3)

"IDriverT"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)

"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)

"WMPNetworkSvc"=2 (0x2)

"gusvc"=2 (0x2)

"OpenCASE Media Agent"=2 (0x2)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Symantec Core LC"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"Adobe Version Cue CS4"=3 (0x3)

"idsvc"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"sprtsvc_ddoctorv2"=2 (0x2)

"Pharos Systems ComTaskMaster"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=

"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58306:TCP"= 58306:TCP:PandoRest Listening Port

"57232:TCP"= 57232:TCP:PandoRest Listening Port

"56666:TCP"= 56666:TCP:PandoRest Listening Port

"57541:TCP"= 57541:TCP:PandoRest Listening Port

"58998:TCP"= 58998:TCP:PandoRest Listening Port

"57251:TCP"= 57251:TCP:Pando Media Booster

"57251:UDP"= 57251:UDP:Pando Media Booster

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"56903:TCP"= 56903:TCP:Pando Media Booster

"56903:UDP"= 56903:UDP:Pando Media Booster

"58433:TCP"= 58433:TCP:Pando Media Booster

"58433:UDP"= 58433:UDP:Pando Media Booster

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"56396:TCP"= 56396:TCP:Pando Media Booster

"56396:UDP"= 56396:UDP:Pando Media Booster

"8378:TCP"= 8378:TCP:League of Legends Launcher

"8378:UDP"= 8378:UDP:League of Legends Launcher

"6979:TCP"= 6979:TCP:League of Legends Launcher

"6979:UDP"= 6979:UDP:League of Legends Launcher

"8379:TCP"= 8379:TCP:League of Legends Launcher

"8379:UDP"= 8379:UDP:League of Legends Launcher

"6983:TCP"= 6983:TCP:League of Legends Launcher

"6983:UDP"= 6983:UDP:League of Legends Launcher

"8380:TCP"= 8380:TCP:League of Legends Launcher

"8380:UDP"= 8380:UDP:League of Legends Launcher

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 4:13 PM 366640]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/5/2008 11:25 PM 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 4:13 PM 22712]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [6/10/2006 7:52 PM 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [6/10/2006 7:52 PM 226304]

S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [7/19/2010 10:37 AM 103424]

S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [7/19/2010 10:37 AM 103424]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/2/2009 4:23 PM 717296]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-09-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1558351877-522379458-2971586956-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-09-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1558351877-522379458-2971586956-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

.

------- Supplementary Scan -------

.

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

TCP: DhcpNameServer = 68.87.71.230 68.87.73.246

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Ryan Fredericks\Application Data\Mozilla\Firefox\Profiles\uh4vz55x.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash

user_pref(security.warn_viewing_mixed,false);

user_pref(security.warn_viewing_mixed.show_once,false);

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

user_pref(security.warn_submit_insecure,false);

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

ShellExecuteHooks-{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} - c:\program files\Trend Micro\Tmas\sshook.dll

SafeBoot-19969215.sys

SafeBoot-71246523.sys

SafeBoot-71895782.sys

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

MSConfigStartUp-extrac64_cab - c:\docume~1\RYANFR~1\LOCALS~1\Temp\extrac64_cab.exe

MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe

MSConfigStartUp-Malware Defense - c:\program files\Malware Defense\mdefense.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe

AddRemove-BlitzMail - c:\windows\unvise32.exe

AddRemove-{319D9385-EEC1-4ae5-BFD1-C5DE1E063F30} - c:\program files\Trend Micro\Tmas\tmas.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-03 23:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]

"ImagePath"="system32\drivers\tsk9.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1200)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\VESWinlogon.dll

.

- - - - - - - > 'explorer.exe'(4664)

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

c:\program files\Logitech\G-series Software\Applets\LCDClock.exe

c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe

c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-09-03 23:26:03 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-04 03:26

.

Pre-Run: 18,547,580,928 bytes free

Post-Run: 18,292,645,888 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 886ADCE6233F8F72A7F31B50578C5D5A

ComboFix.txt

Link to post
Share on other sites

Hello screen317,

Two things:

1. I cannot access VirusTotal.com on this computer. The virus appears to be completely blocking the site.

2. That being said, I attempted to search for the tosrfcom.sys file so that I could upload the file via another computer, but I cannot find that file manually or through the Search function on Windows.

I ran ComboFix again to see what it would come up with; the log is below. What should I do next?

ComboFix 11-09-08.03 - Ryan Fredericks 09/08/2011 19:40:24.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1399 [GMT -4:00]

Running from: c:\documents and settings\Ryan Fredericks\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\setupapi.log

.

.

((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))

.

.

2011-09-01 19:33 . 2011-09-01 19:33 -------- d-----w- c:\program files\ESET

2011-09-01 00:15 . 2011-09-01 00:15 -------- d-----w- C:\TDSSKiller_Quarantine

2011-08-31 23:52 . 2011-09-01 00:26 43408 --sha-w- c:\windows\system32\c_83943.nl_

2011-08-31 20:13 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-31 20:13 . 2011-08-31 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-31 20:13 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\SUPERAntiSpyware.com

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-08-31 17:32 . 2011-08-31 17:32 951291 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\remregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 896 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\databasepath.reg

2011-08-31 17:32 . 2011-08-31 17:32 890 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\Remove-itRestorePoint.vbs

2011-08-31 17:32 . 2011-08-31 17:32 5228 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\nfig.reg

2011-08-31 17:32 . 2011-08-31 17:32 4994 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\s.reg

2011-08-31 17:32 . 2011-08-31 17:32 4512 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\hpregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 3008 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\bgregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 2600 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\exefix.reg

2011-08-31 17:32 . 2011-08-31 17:32 18308 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\IEDef.reg

2011-08-31 17:32 . 2011-08-31 17:32 1754 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\regf.reg

2011-08-31 17:14 . 2011-08-31 17:14 -------- d-----w- C:\VundoFix Backups

2011-08-31 16:53 . 2011-08-16 12:48 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll

2011-08-31 16:53 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-31 16:51 . 2011-08-31 16:51 -------- d-----w- c:\program files\Windows Defender

2011-08-30 22:49 . 2011-08-30 22:49 388096 ----a-r- c:\documents and settings\Ryan Fredericks\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-30 22:24 . 2011-08-30 22:24 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-30 20:42 . 2011-08-30 20:42 -------- d-----w- C:\spoolerlogs

2011-08-30 20:31 . 2011-08-30 20:31 4194304 ----a-w- c:\windows\system32\wxaetreo.dll

2011-08-30 20:30 . 2011-09-04 03:14 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\Remote

2011-08-25 19:24 . 2011-08-25 19:24 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\DDMSettings

2011-08-15 11:10 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-01 00:41 . 2006-06-11 00:02 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp

2011-09-01 00:24 . 2006-06-10 23:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-01 00:16 . 2004-08-03 23:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-31 21:17 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-31 17:32 . 2006-06-10 23:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-08-30 20:46 . 2006-06-10 23:52 143428 ----a-w- c:\windows\system32\nvsvc32.exe

2011-08-16 22:36 . 2011-05-25 22:20 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29 . 2006-06-10 23:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2006-06-10 23:52 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2006-06-11 00:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-21 18:18 . 2009-07-04 16:08 81920 ----a-w- c:\windows\system32\ieencode.dll

2011-06-21 18:18 . 2006-06-10 23:52 667136 ----a-w- c:\windows\system32\wininet.dll

2011-06-21 18:18 . 2006-06-10 23:52 61952 ----a-w- c:\windows\system32\tdc.ocx

2011-06-21 12:58 . 2006-06-10 23:52 369664 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2006-06-10 23:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-09-04_03.18.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-08 21:40 . 2011-09-08 21:40 16384 c:\windows\Temp\Perflib_Perfdata_980.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]

"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-25 273544]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

c:\documents and settings\Ryan Fredericks\Start Menu\Programs\Startup\

Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-13 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-8-25 528384]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk

backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2010-09-22 22:11 640440 -c--a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2011-06-08 00:54 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 11:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2004-11-18 03:47 118784 -c--a-w- c:\program files\Apoint\Apoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-03-17 01:58 47392 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]

2006-03-15 17:55 40960 -c--a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]

2009-08-04 08:49 318096 -c--a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]

2009-09-24 21:45 1150016 -c--a-w- c:\program files\NBC Direct\DirectPlayerCore.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]

2005-03-16 18:22 204800 -c--a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-04-20 17:10 50792 -c--a-w- c:\program files\Common Files\AOL\1150570943\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-12-15 15:18 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2006-02-21 23:59 143360 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2004-02-20 21:12 32768 -c--a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-03-20 22:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

2007-02-13 15:42 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2005-07-23 03:25 28160 -c--a-w- c:\windows\KHALMNPR.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2005-07-19 14:05 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-05-08 14:50 7561216 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-05-08 14:50 86016 -c--a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 20:12 26192168 -c--a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]

2006-01-26 09:28 212992 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-24 23:53 1242448 -c--a-w- c:\progra~1\Valve\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 15:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]

2005-11-24 18:47 167936 -c--a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]

2003-04-20 04:08 28672 -c--a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 04:36 151552 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]

2005-12-01 09:20 69632 -c--a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]

2005-06-13 22:42 258048 -c--a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

2011-08-30 20:47 111816 ----a-w- c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]

2006-11-01 18:19 145072 -c--a-w- c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NSCService"=3 (0x3)

"navapsvc"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccProxy"=2 (0x2)

"ccISPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

"iPodService"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"ose"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"Image Converter video recording monitor for VAIO Entertainment"=3 (0x3)

"IDriverT"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)

"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)

"WMPNetworkSvc"=2 (0x2)

"gusvc"=2 (0x2)

"OpenCASE Media Agent"=2 (0x2)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Symantec Core LC"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"Adobe Version Cue CS4"=3 (0x3)

"idsvc"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"sprtsvc_ddoctorv2"=2 (0x2)

"Pharos Systems ComTaskMaster"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=

"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58306:TCP"= 58306:TCP:PandoRest Listening Port

"57232:TCP"= 57232:TCP:PandoRest Listening Port

"56666:TCP"= 56666:TCP:PandoRest Listening Port

"57541:TCP"= 57541:TCP:PandoRest Listening Port

"58998:TCP"= 58998:TCP:PandoRest Listening Port

"57251:TCP"= 57251:TCP:Pando Media Booster

"57251:UDP"= 57251:UDP:Pando Media Booster

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"56903:TCP"= 56903:TCP:Pando Media Booster

"56903:UDP"= 56903:UDP:Pando Media Booster

"58433:TCP"= 58433:TCP:Pando Media Booster

"58433:UDP"= 58433:UDP:Pando Media Booster

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"56396:TCP"= 56396:TCP:Pando Media Booster

"56396:UDP"= 56396:UDP:Pando Media Booster

"8378:TCP"= 8378:TCP:League of Legends Launcher

"8378:UDP"= 8378:UDP:League of Legends Launcher

"6979:TCP"= 6979:TCP:League of Legends Launcher

"6979:UDP"= 6979:UDP:League of Legends Launcher

"8379:TCP"= 8379:TCP:League of Legends Launcher

"8379:UDP"= 8379:UDP:League of Legends Launcher

"6983:TCP"= 6983:TCP:League of Legends Launcher

"6983:UDP"= 6983:UDP:League of Legends Launcher

"8380:TCP"= 8380:TCP:League of Legends Launcher

"8380:UDP"= 8380:UDP:League of Legends Launcher

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/5/2008 11:25 PM 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 4:13 PM 22712]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [6/10/2006 7:52 PM 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [6/10/2006 7:52 PM 226304]

S0 71895782;71895782;c:\windows\system32\drivers\67982631.sys --> c:\windows\system32\drivers\67982631.sys [?]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 4:13 PM 366640]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [7/19/2010 10:37 AM 103424]

S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [7/19/2010 10:37 AM 103424]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/2/2009 4:23 PM 717296]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-09-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1558351877-522379458-2971586956-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-09-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1558351877-522379458-2971586956-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

.

------- Supplementary Scan -------

.

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

TCP: DhcpNameServer = 68.87.71.230 68.87.73.246

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Ryan Fredericks\Application Data\Mozilla\Firefox\Profiles\uh4vz55x.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash

user_pref(security.warn_viewing_mixed,false);

user_pref(security.warn_viewing_mixed.show_once,false);

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

user_pref(security.warn_submit_insecure,false);

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-08 19:49

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]

"ImagePath"="system32\drivers\tsk9.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1196)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\VESWinlogon.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2011-09-08 19:52:09

ComboFix-quarantined-files.txt 2011-09-08 23:51

ComboFix2.txt 2011-09-04 03:26

.

Pre-Run: 18,104,324,096 bytes free

Post-Run: 18,193,494,016 bytes free

.

- - End Of File - - EB3253B0A0ADBE9E01A8F70B8CEB1848

ComboFix.txt

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Delete your copies of TDSSKiller and ComboFix. Grab fresh copies. Run TDSSKiller then immediately after, run ComboFix. Post both logs.

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries

Please copy and paste the report into your Post.

Are you currently connected through a router?

Link to post
Share on other sites

I deleted my copies of ComboFix and TDSSKiller. I ran TDSSKiller first, then ComboFix, then GMER.

Attached are the ComboFix, TDSSKiller, and GMER logs.

Also, I am currently connected through a Linksys router.

TDSSKiller.2.5.21.0_12.09.2011_20.16.22_log.txt

ComboFix.txt

TDSSKiller.2.5.21.0_12.09.2011_20.16.22_log.txt

Hi,

My apologies for the delay.

Delete your copies of TDSSKiller and ComboFix. Grab fresh copies. Run TDSSKiller then immediately after, run ComboFix. Post both logs.

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries

Please copy and paste the report into your Post.

Are you currently connected through a router?

ark.txt

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=94249
Collect::
c:\windows\system32\c_83943.nl_
c:\windows\system32\wxaetreo.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

Attached is the new ComboFix log.

Thanks for your help, screen!

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=94249
Collect::
c:\windows\system32\c_83943.nl_
c:\windows\system32\wxaetreo.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

ComboFix.txt

Link to post
Share on other sites

screen317,

I usually turn off my laptop when I am done with it. That being said, when I turned it on after sending you the last log, here is what my McAfee On-Access Scan said:

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe CLSID\{1822C65C-061F-4572-B42B-3DD886988506}\InprocServer32 Generic Downloader.x!gc3 (Trojan)

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe HKCR\CLSID\{1822C65C-061F-4572-B42B-3DD886988506}\InprocServer32 Generic Downloader.x!gc3 (Trojan)

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe CLSID\{1822C65C-061F-4572-B42B-3DD886988506} Generic Downloader.x!gc3 (Trojan)

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe HKCR\CLSID\{1822C65C-061F-4572-B42B-3DD886988506} Generic Downloader.x!gc3 (Trojan)

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1822C65C-061F-4572-B42B-3DD886988506} Generic Downloader.x!gc3 (Trojan)

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\SYSTEM32\WSCUI32.DLL Generic Downloader.x!gc3 (Trojan)

9/18/2011 11:36:32 AM Deleted NT AUTHORITY\SYSTEM C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\wscui32.dll Generic Downloader.x!gc3 (Trojan)

Hence, McAfee deleted the file you wanted me to check. Should I just leave my laptop open or in sleep mode with all my virus protection off after I send you the next log (I will repeat your last steps again to see if we can find anything)? That way it should stop deleting the files you want me to upload. Also, I suppose I could remove McAfee from startup if you think that is safe. I am sorry this keeps occurring after we find a malicious file.

Link to post
Share on other sites

  • Staff

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Driver::
71895782

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Post its log directly instead of attaching it. Use multiple posts if necessary.

-screen317

Link to post
Share on other sites

I uninstalled Viewpoint Manager, Viewpoint Mediaplayer, and Viewpoint Toolbar. Here is the latest log:

ComboFix 11-09-23.03 - Ryan Fredericks 09/23/2011 14:43:04.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1322 [GMT -4:00]

Running from: c:\documents and settings\Ryan Fredericks\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Ryan Fredericks\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\DotNetInstaller.exe.5bb65c40.ini

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\ExecAfterFirstBoot.exe.e14e59e8.ini

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\MsiExec.exe.8cb23528.ini.inuse

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\SL1BA.tmp.c69ab859.ini

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\SL3C.tmp.d00684d9.ini

c:\windows\system32\config\systemprofile\Local Settings\Application Data\ApplicationHistory\VSC.exe.fc8fbd43.ini

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_71895782

.

.

((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))

.

.

2011-09-01 19:33 . 2011-09-01 19:33 -------- d-----w- c:\program files\ESET

2011-08-31 20:13 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-31 20:13 . 2011-08-31 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-31 20:13 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\SUPERAntiSpyware.com

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-08-31 17:44 . 2011-08-31 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-08-31 17:32 . 2011-08-31 17:32 951291 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\remregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 896 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\databasepath.reg

2011-08-31 17:32 . 2011-08-31 17:32 890 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\Remove-itRestorePoint.vbs

2011-08-31 17:32 . 2011-08-31 17:32 5228 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\nfig.reg

2011-08-31 17:32 . 2011-08-31 17:32 4994 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\s.reg

2011-08-31 17:32 . 2011-08-31 17:32 4512 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\hpregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 3008 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\bgregfix.reg

2011-08-31 17:32 . 2011-08-31 17:32 2600 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\exefix.reg

2011-08-31 17:32 . 2011-08-31 17:32 18308 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\IEDef.reg

2011-08-31 17:32 . 2011-08-31 17:32 1754 ----a-w- c:\documents and settings\Ryan Fredericks\Local Settings\Application Data\regf.reg

2011-08-31 16:53 . 2011-08-16 12:48 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll

2011-08-31 16:53 . 2011-05-24 23:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-08-31 16:51 . 2011-08-31 16:51 -------- d-----w- c:\program files\Windows Defender

2011-08-30 22:24 . 2011-08-30 22:24 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-30 20:42 . 2011-08-30 20:42 -------- d-----w- C:\spoolerlogs

2011-08-25 19:24 . 2011-08-25 19:24 -------- d-----w- c:\documents and settings\Ryan Fredericks\Application Data\DDMSettings

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-01 00:41 . 2006-06-11 00:02 53472 ----a-w- c:\windows\system32\wuauclt.exe.tmp

2011-09-01 00:24 . 2006-06-10 23:52 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-09-01 00:16 . 2004-08-03 23:14 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-31 21:17 . 2004-08-03 22:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-08-31 17:32 . 2006-06-10 23:52 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2011-08-30 22:49 . 2011-08-30 22:49 388096 ----a-r- c:\documents and settings\Ryan Fredericks\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-30 20:46 . 2006-06-10 23:52 143428 ----a-w- c:\windows\system32\nvsvc32.exe

2011-08-16 22:36 . 2011-05-25 22:20 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29 . 2006-06-10 23:52 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2006-06-10 23:52 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]

"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-25 273544]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

c:\documents and settings\Ryan Fredericks\Start Menu\Programs\Startup\

Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-2-13 67128]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-8-25 528384]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk

backup=c:\windows\pss\Trend Micro Anti-Spyware.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2010-09-22 22:11 640440 -c--a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2011-09-07 19:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 11:58 611712 -c--a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

2004-11-18 03:47 118784 -c--a-w- c:\program files\Apoint\Apoint.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-03-17 01:58 47392 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMon Utility]

2006-03-15 17:55 40960 -c--a-w- c:\program files\Sony\AppMonUtil\AppMonUtility.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]

2009-08-04 08:49 318096 -c--a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]

2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DirectPlayerCore]

2009-09-24 21:45 1150016 -c--a-w- c:\program files\NBC Direct\DirectPlayerCore.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExecAfterFirstBoot]

2005-03-16 18:22 204800 -c--a-w- c:\windows\SONYSYS\EFlyer\ExecAfterFirstBoot.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-04-20 17:10 50792 -c--a-w- c:\program files\Common Files\AOL\1150570943\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-12-15 15:18 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2006-02-21 23:59 143360 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

2006-02-17 16:59 124520 -c--a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2004-02-20 21:12 32768 -c--a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-03-20 22:34 213936 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

2007-02-13 15:42 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]

2005-07-23 03:25 28160 -c--a-w- c:\windows\KHALMNPR.Exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2005-07-19 14:05 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-05-08 14:50 7561216 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

2006-05-08 14:50 86016 -c--a-w- c:\windows\system32\nvmctray.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2010-05-13 20:12 26192168 -c--a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]

2006-01-26 09:28 212992 -c--a-w- c:\program files\Sony\VAIO Power Management\SPMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-11-24 23:53 1242448 -c--a-w- c:\progra~1\Valve\Steam\Steam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 15:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]

2005-11-24 18:47 167936 -c--a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]

2003-04-20 04:08 28672 -c--a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]

2005-10-12 04:36 151552 -c--a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]

2005-12-01 09:20 69632 -c--a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]

2005-06-13 22:42 258048 -c--a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2006-10-19 01:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NSCService"=3 (0x3)

"navapsvc"=2 (0x2)

"ccSetMgr"=2 (0x2)

"ccProxy"=2 (0x2)

"ccISPwdSvc"=3 (0x3)

"ccEvtMgr"=2 (0x2)

"iPodService"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"ose"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"Image Converter video recording monitor for VAIO Entertainment"=3 (0x3)

"IDriverT"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)

"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)

"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)

"WMPNetworkSvc"=2 (0x2)

"gusvc"=2 (0x2)

"OpenCASE Media Agent"=2 (0x2)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Symantec Core LC"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"Adobe Version Cue CS4"=3 (0x3)

"idsvc"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

"sprtsvc_ddoctorv2"=2 (0x2)

"Pharos Systems ComTaskMaster"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1150570943\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\NBC Direct\\DirectPlayerCore.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=

"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=

"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike source\\hl2.exe"=

"c:\\Program Files\\Valve\\Steam\\steamapps\\maelstrom@kodgamers.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58306:TCP"= 58306:TCP:PandoRest Listening Port

"57232:TCP"= 57232:TCP:PandoRest Listening Port

"56666:TCP"= 56666:TCP:PandoRest Listening Port

"57541:TCP"= 57541:TCP:PandoRest Listening Port

"58998:TCP"= 58998:TCP:PandoRest Listening Port

"57251:TCP"= 57251:TCP:Pando Media Booster

"57251:UDP"= 57251:UDP:Pando Media Booster

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

"56903:TCP"= 56903:TCP:Pando Media Booster

"56903:UDP"= 56903:UDP:Pando Media Booster

"58433:TCP"= 58433:TCP:Pando Media Booster

"58433:UDP"= 58433:UDP:Pando Media Booster

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"56396:TCP"= 56396:TCP:Pando Media Booster

"56396:UDP"= 56396:UDP:Pando Media Booster

"8378:TCP"= 8378:TCP:League of Legends Launcher

"8378:UDP"= 8378:UDP:League of Legends Launcher

"6979:TCP"= 6979:TCP:League of Legends Launcher

"6979:UDP"= 6979:UDP:League of Legends Launcher

"8379:TCP"= 8379:TCP:League of Legends Launcher

"8379:UDP"= 8379:UDP:League of Legends Launcher

"6983:TCP"= 6983:TCP:League of Legends Launcher

"6983:UDP"= 6983:UDP:League of Legends Launcher

"8380:TCP"= 8380:TCP:League of Legends Launcher

"8380:UDP"= 8380:UDP:League of Legends Launcher

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 4:13 PM 366640]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 4:13 PM 22712]

R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [6/10/2006 7:52 PM 29184]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [6/10/2006 7:52 PM 226304]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 qcmdmxp;HTC Proprietary USB Driver;c:\windows\system32\drivers\qcmdmxp.sys [7/19/2010 10:37 AM 103424]

S3 qcserxp;HTC Diagnostic Port;c:\windows\system32\drivers\qcserxp.sys [7/19/2010 10:37 AM 103424]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/2/2009 4:23 PM 717296]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-09-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1558351877-522379458-2971586956-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

2011-09-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1558351877-522379458-2971586956-1006.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]

.

.

------- Supplementary Scan -------

.

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

TCP: DhcpNameServer = 68.87.71.230 68.87.73.246

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

FF - ProfilePath - c:\documents and settings\Ryan Fredericks\Application Data\Mozilla\Firefox\Profiles\uh4vz55x.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Mozilla Firefox\extensions\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: IDM FlashPlugin: flashplugin@idm - c:\documents and settings\Ryan Fredericks\Application Data\IDM\bin\flash

user_pref(security.warn_viewing_mixed,false);

user_pref(security.warn_viewing_mixed.show_once,false);

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

user_pref(security.warn_submit_insecure,false);

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

MSConfigStartUp-ViewpointPhotosDeviceConnect - c:\program files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-23 16:40

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cdrom]

"ImagePath"="system32\drivers\tsk9.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1204)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\VESWinlogon.dll

.

- - - - - - - > 'explorer.exe'(2256)

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Juniper Networks\Common Files\dsNcService.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\windows\system32\wscntfy.exe

c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe

c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe

c:\program files\Logitech\G-series Software\Applets\LCDClock.exe

c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2011-09-23 16:47:17 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-23 20:47

ComboFix2.txt 2011-09-18 19:34

.

Pre-Run: 20,186,759,168 bytes free

Post-Run: 20,016,996,352 bytes free

.

- - End Of File - - 8C48EC1B44D448D42E16B669134C9A48

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hey screen317,

The ESET Scanner would not run. It said "Unexpected Error 101: ESET Scanner has already been run on this computer in the past. Only files necessary to update to the current version will be updated." After this, it pauses and never gets anywhere. I tried the downloadable version that it asks about if you try accessing it from Firefox, and that one did not work either.

I did the Security Check (while I had all my antivirus protection down). The results are pasted below.

As for symptoms, the computer seems to be running fine with no more redirection from Google. The only "issue" is that the ESET Scanner is not working. Thanks for your help!

Results of screen317's Security Check version 0.99.19

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

SonicStage Mastering Studio Audio Filter Custom Preset

McAfee VirusScan Enterprise

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

Java 6 Update 21

Out of date Java installed!

Adobe Flash Player 10.3.183.10

Mozilla Firefox (Player..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

McAfee VirusScan Enterprise VsTskMgr.exe

McAfee VirusScan Enterprise SHSTAT.EXE

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Try this scanner instead:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

I ran the F-Secure Online Scanner and it found a few files. Overall, my computer seems to be running normal. Thank you for all your help! I really do appreciate it!

-Mael

PS: Here is the F-Secure Online Report

Scanning Report

Wednesday, October 19, 2011 16:29:22 - 21:51:32

Computer name: MAELSKI

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

2 malware found

Suspicious:W32/Malware!Gemini (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\DESKTOP\9QD81UN0.EXE (Not cleaned)

Statistics

Scanned:

* Files: 211558

* System: 5675

* Not scanned: 19

Actions:

* Disinfected: 1

* Renamed: 0

* Deleted: 0

* Not cleaned: 1

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\ASSEMBLY\GAC_MSIL\DESKTOP(2).INI

* C:\PROGRAM FILES\WINDOWS DEFENDER\MSMPENG.EXE

* C:\PROGRAM FILES\TREND MICRO\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

* C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

* C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE

* C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\FIREFOX.EXE

* C:\PROGRAM FILES\ESET\ESET ONLINE SCANNER\ONLINECMDLINESCANNER.EXE

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\LOCAL SETTINGS\TEMP\ETILQS_FPL7W7VPCGDECEB4OTOB

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\LOCAL SETTINGS\TEMP\ETILQS_IJIASOCGLJLJX7YKCFDL

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\LOCAL SETTINGS\TEMP\HSPERFDATA_RYAN FREDERICKS\2316

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\LOCAL SETTINGS\TEMP\HSPERFDATA_RYAN FREDERICKS\5504

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\DESKTOP\7TUNY3QI.EXE

* C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\DESKTOP\8HXLH3EV.EXE

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

Link to post
Share on other sites

  • Staff

Delete this file:

C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\DESKTOP\9QD81UN0.EXE

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Ad-Aware (if you don't update it and use it often)

Java™ 6 Update 21

Adobe Flash Player 10.3.183.10

Restart your computer.

Get the latest version of Java and Adobe Flash Player.

Let me know what issues remain.

Link to post
Share on other sites

Hey screen317,

That file (C:\DOCUMENTS AND SETTINGS\RYAN FREDERICKS\DESKTOP\9QD81UN0.EXE) was not there when I went to delete it. I hope that does not mean anything bad...

I uninstalled ComboFix and got rid/updated the programs you mentioned.

Other than the missing file I mentioned above, I do not see any problems with this laptop. Thank you so much for your help!

-Maelski

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.