Jump to content

Infected Computer Links in Startup Menu removed


MPA

Recommended Posts

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hello MPA! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Step 1

You have p2p software installed on your system, which is very dangerous and illegal. Please check our rules for piracy and uninstall µTorrent:

http://forums.malwarebytes.org/index.php?showtopic=97700

Step 2

Please follow the instructions here for ComboFix:

bleepingcomputer.com/combofix/how-to-use-combofix#use

When you are ready, please post log.txt and a new fresh DDS log file.

Link to post
Share on other sites

Interesting that I subscribed to this thread but never got a notification that anyone responded. Okay here is the DDS, Attach and log files:

DDS

-----------------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.1.0

Run by Will at 20:17:04 on 2011-11-15

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.1920 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\taskhost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\crypserv.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdnserv.exe

C:\Windows\system32\lxdncoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Windows\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://yeppo.net

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Set UA String (BHO): {3ce56db6-fcbe-4422-9454-63c354178985} - c:\program files\uapick\UABtn.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)

uPolicies-explorer: QuickLaunchEnabled = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - c:\program files\uapick\UABtn.dll

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{B2F02C79-8312-4F9E-8749-8F2F57392CB8} : DhcpNameServer = 192.168.1.254

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\will\appdata\roaming\mozilla\firefox\profiles\mhl1biwx.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=ce25f49a00000000000000ff031509b7&tlver=1.4.35.10&affID=100842

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\will\appdata\roaming\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\users\will\appdata\roaming\mozilla\firefox\profiles\mhl1biwx.default\extensions\coralietab@mozdev.org\plugins\npCoralIETab.dll

FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

FF - Ext: vShare Plugin: vshareus@toolbar - %profile%\extensions\vshareus@toolbar

FF - Ext: OpenDownload²: {210249CE-F888-11DD-B868-4CB456D89593} - %profile%\extensions\{210249CE-F888-11DD-B868-4CB456D89593}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: IE Tab +: coralietab@mozdev.org - %profile%\extensions\coralietab@mozdev.org

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\will\appdata\roaming\Move Networks

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-28 176128]

R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-7-28 291840]

R2 AODDriver4.01;AODDriver4.01;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2011-6-24 39424]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2009-8-13 98984]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-23 366152]

R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-1-8 37944]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-28 8396800]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-28 247296]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-6-6 211984]

R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\drivers\KMWDFILTER.sys [2009-4-29 25088]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-14 22216]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-7-15 322848]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2009-11-26 45440]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2005-7-19 57744]

S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2005-7-19 8336]

S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2005-7-19 93328]

S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2005-7-19 73152]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-1-4 14216]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-1-4 8456]

S3 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2009-11-26 56960]

S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2009-7-13 35840]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-5 15872]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]

S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]

S4 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]

.

=============== Created Last 30 ================

.

2011-11-16 01:17:00 607260 ----a-w- c:\program files\dds.scr

2011-11-16 01:08:59 -------- d-sh--w- C:\$RECYCLE.BIN

2011-11-16 00:57:36 98816 ----a-w- c:\windows\sed.exe

2011-11-16 00:57:36 518144 ----a-w- c:\windows\SWREG.exe

2011-11-16 00:57:36 256000 ----a-w- c:\windows\PEV.exe

2011-11-16 00:57:36 208896 ----a-w- c:\windows\MBR.exe

2011-11-13 00:20:00 -------- d-----w- c:\programdata\Avanquest

2011-11-13 00:20:00 -------- d-----w- c:\program files\Avanquest update

2011-11-13 00:18:45 -------- d-----w- c:\users\will\appdata\local\BVRP Software

2011-11-12 23:59:26 -------- d-----w- c:\program files\Motorola Phone Tools

2011-11-10 02:30:22 -------- d-----w- c:\program files\Replay Video Capture

2011-11-08 23:12:41 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-08 23:12:39 708608 ----a-w- c:\program files\common files\system\wab32.dll

2011-11-08 23:12:19 2341888 ----a-w- c:\windows\system32\win32k.sys

2011-11-07 23:58:58 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-11-07 23:53:54 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-10-24 21:27:11 -------- d-----w- c:\users\will\appdata\roaming\GetRightToGo

2011-10-23 22:18:09 -------- d-----w- c:\users\will\appdata\local\Babylon

2011-10-23 22:18:07 -------- d-----w- c:\program files\Easy Downloads

.

==================== Find3M ====================

.

2011-11-13 18:20:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 07:50:34 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll

2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7601 Disk: ST3500830AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: >>UNKNOWN [0x83603000]<< >>UNKNOWN [0x8C28C000]<< >>UNKNOWN [0x8C27B000]<< >>UNKNOWN [0x84361000]<< >>UNKNOWN [0x83A15000]<< >>UNKNOWN [0x861A71F8]<<

_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x8363A52A] -> \Device\Harddisk0\DR0[0x86ECC030]

\Driver\Disk[0x86ED0030] -> IRP_MJ_CREATE -> 0x8C29039F

3 [0x8C29059E] -> ntkrnlpa!IofCallDriver[0x8363A52A] -> [0x86ED0918]

\Driver\ACPI[0x861A2DF8] -> IRP_MJ_CREATE -> 0x8436A4CC

5 [0x8436A3D4] -> ntkrnlpa!IofCallDriver[0x8363A52A] -> \Device\Ide\IdeDeviceP0T0L0-0[0x87017908]

\Driver\atapi[0x86E8D658] -> IRP_MJ_CREATE -> 0x861A71F8

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 20:17:21.55 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 10/25/2009 11:04:49 PM

System Uptime: 11/14/2011 7:30:13 PM (25 hours ago)

.

Motherboard: Acer | | F690GVM

Processor: AMD Phenom 9500 Quad-Core Processor | Socket AM2 | 2200/231mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 425 GiB total, 345.001 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 10.112 GiB free.

E: is CDROM (CDFS)

F: is FIXED (NTFS) - 10 GiB total, 3.442 GiB free.

G: is Removable

H: is Removable

I: is Removable

J: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\3&18D45AA6&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\3&18D45AA6&0

Service: i8042prt

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: MpKslb8f1bfd9

Device ID: ROOT\LEGACY_MPKSLB8F1BFD9\0000

Manufacturer:

Name: MpKslb8f1bfd9

PNP Device ID: ROOT\LEGACY_MPKSLB8F1BFD9\0000

Service: MpKslb8f1bfd9

.

==== System Restore Points ===================

.

RP464: 11/7/2011 7:00:26 PM - Windows Update

RP466: 11/7/2011 7:39:35 PM - Windows Update

RP468: 11/8/2011 6:12:51 PM - Windows Update

RP464: 11/10/2011 6:15:56 PM - Windows Update

RP466: 11/12/2011 6:58:14 PM - Installed Motorola Phone Tools

RP468: 11/12/2011 7:02:23 PM - Device Driver Package Install: Motorola Korea, Inc. Universal Serial Bus controllers

RP470: 11/12/2011 7:03:22 PM - Device Driver Package Install: Motorola Korea, Inc. Modems

RP472: 11/12/2011 7:04:46 PM - Device Driver Package Install: Motorola Korea, Inc. Ports (COM & LPT)

RP473: 11/15/2011 7:57:41 PM - ComboFix created restore point

.

==== Installed Programs ======================

.

"Nero SoundTrax Help

7-Zip 4.65

ABBYY FineReader 6.0 Sprint

Adobe Flash Player 11 ActiveX

Adobe Reader 7.0

Adobe Reader 7.0.5

Advertising Center

AMD Catalyst Install Manager

AMD Fuel

AMD VISION Engine Control Center

Apple Application Support

Apple Software Update

Audacity 1.2.6

Avanquest update

Bayden UAPick

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help English

CCC Help Japanese

CCC Help Korean

CCC Help Thai

CD Audio Reader Filter (remove only)

Combined Community Codec Pack 2010-10-10

Compatibility Pack for the 2007 Office system

D3DX10

DC-Bass Source 1.1.1

DirectVobSub (remove only)

DivX Setup

DolbyFiles

DScaler 5 Mpeg Decoders

EASEUS Partition Master 4.1.1 Home Edition

EasyBCD 1.7.2

ffdshow [rev 2527] [2008-12-19]

Foxit PDF Editor

Haali Media Splitter

ImagXpress

Java Auto Updater

Java 6 Update 26

Java 6 Update 27

Java 7 Update 1

Junk Mail filter update

KaraFun Player

Lexmark 2600 Series

Lexmark Fax Solutions

Magic ISO Maker v5.4 (build 0239)

MagicDisc 2.7.106

Malwarebytes' Anti-Malware version 1.51.2.1300

Menu Templates - Starter Kit

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Corporation

Microsoft Office Professional Edition 2003

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

MONOGRAM AMR Splitter/Decoder (remove only)

Motorola Driver Installation 4.5.0

Motorola Phone Tools

Move Media Player

Movie Templates - Starter Kit

Mozilla Firefox (3.6.24)

MSVCRT

Nero 9

Nero BurningROM

Nero BurnRights

Nero ControlCenter

Nero CoverDesigner

Nero CoverDesigner Help

Nero Disc Copy Gadget

Nero Disc Copy Gadget Help

Nero DiscSpeed

Nero DriveSpeed

Nero Express

Nero InfoTool

Nero Installer

Nero PhotoSnap

Nero PhotoSnap Help

Nero Recode

Nero Recode Help

Nero Rescue Agent

Nero RescueAgent Help

Nero ShowTime

Nero StartSmart

Nero StartSmart Help

Nero Vision

Nero WaveEditor

Nero WaveEditor Help

NeroBurningROM

NeroExpress

neroxml

NirSoft WebVideoCap

OpenSource DTS/AC3/DD+ Source Filter (remove only)

OpenSource Flash Video Splitter (remove only)

Oxelon Media Converter 1.1

PCI Soft Data Fax Modem with SmartCP

PDFCreator

PowerISO

QuickTime

Random Dice Roller

RealMedia (remove only)

Replay Converter 3

Replay Video Capture

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

SHOUTcast Source (remove only)

Skype™ 5.5

Snapshot Viewer

SopCast 3.0.3

SoundTrax

SUPERAntiSpyware Free Edition

SysTools DBX Converter

Time Stopper

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

VC80CRTRedist - 8.0.50727.4053

VC80CRTRedist - 8.0.50727.6195

Veetle TV 0.9.18

Veoh Web Player

Virtual Account Numbers

VLC media player 1.1.11

VuRoom

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live OneCare safety scanner

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

WinPcap 4.1.2

WinRAR archiver

Yahoo! Messenger

.

==== Event Viewer Messages From Past Week ========

.

11/9/2011 8:33:34 PM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).

11/9/2011 12:50:33 AM, Error: Service Control Manager [7003] - The Link-Layer Topology Discovery Mapper service depends the following service: lltdio. This service might not be installed.

11/9/2011 12:50:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1075" attempting to start the service lltdsvc with arguments "" in order to run the server: {5BF9AA75-D7FF-4AEE-AA2C-96810586456D}

11/15/2011 8:17:01 PM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

11/15/2011 8:06:49 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

11/14/2011 7:31:03 PM, Error: Service Control Manager [7023] - The Offline Files service terminated with the following error: The system cannot find the path specified.

11/14/2011 7:31:00 PM, Error: Service Control Manager [7000] - The OrangeWare USB Enhanced Host Controller Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

11/14/2011 5:26:21 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

11/13/2011 7:01:10 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

11/12/2011 7:28:13 PM, Error: Service Control Manager [7030] - The MotoConnect Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

.

==== End Of File ===========================

ComboFix 11-11-15.06 - Will 11/15/2011 19:59:52.1.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.1976 [GMT -5:00]

Running from: c:\users\Will\AppData\Local\Temp\mozOpenDownload\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\ErrLog.txt

c:\program files\Mozilla Firefox\components\npclntax.xpt

C:\readme.txt

c:\users\Will\AppData\Local\{F54A9C95-0A91-4C70-BF22-0B66A3B88842}

c:\users\Will\AppData\Local\{F54A9C95-0A91-4C70-BF22-0B66A3B88842}\chrome.manifest

c:\users\Will\AppData\Local\{F54A9C95-0A91-4C70-BF22-0B66A3B88842}\chrome\content\_cfg.js

c:\users\Will\AppData\Local\{F54A9C95-0A91-4C70-BF22-0B66A3B88842}\chrome\content\overlay.xul

c:\users\Will\AppData\Local\{F54A9C95-0A91-4C70-BF22-0B66A3B88842}\install.rdf

c:\users\Will\AppData\Roaming\cacaoweb

c:\users\Will\AppData\Roaming\cacaoweb\cacaoweb.exe

c:\users\Will\AppData\Roaming\cacaoweb\download18GEVG92992033077.cacao

c:\users\Will\AppData\Roaming\cacaoweb\downloadB34J6HTK26974223.cacao

c:\users\Will\AppData\Roaming\cacaoweb\downloadREOA41QZ24672776.cacao

c:\users\Will\AppData\Roaming\cacaoweb\downloadVN7UFDNJ346400790.cacao

c:\users\Will\AppData\Roaming\cacaoweb\npdfile.dat

c:\users\Will\AppData\Roaming\cacaoweb\replicating02854343B25D195D3D313C525C31BB78.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating0748E7AFAC387DF8A98E680F32036898.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating0B540960BE11948CA03669E91C7EB262.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating198F4AA3FAAFC187E5EF5750FB81C4A3.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating1AAE94F97F9A07F373F39631C3D3D0CE.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating1DAA856970E5872ACD084AF7C3A1BFD2.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating1DB84408EAD35EEAC3BD8D5AF8EB6180.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating37918BC217483AC51B872DBD631FA595.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating39AECB667DFD3EBE5337AE0BF73B3B25.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating4EAD8AA1A5AFD73ACF26E024DE64EC56.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating500474666570A1D19855E5852FC69E9D.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating64AE31C608EC76EDD0CE63DF69D747F4.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating65CFA423698D510FB7CCA29C0B3A672D.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating678AABB815E06583201D8D097662C793.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating6F3AA6EFF27C099A61A509E0F6D9CBAD.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating75E5652E759FC4AB3478129C2C1BFC28.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicating8AA2BCC7281D6C6E5C0CEFA989D4F787.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingA5CA650B755A3B5D01F0C7A8F12A8F5C.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingAA41B47D6516AEFF114604B8EDA0EAFD.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingAEBA31274B72E4EF4E4823D442E0FE03.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingBD34DF4950300034746897FA72F8115B.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingCC421BEBBF4489BBE4F9A18FC72A60B8.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingD44684E9E5B5EE748715158E9DCA8321.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingDFAF36B1FD6F54F1919E5586D026640F.cacao

c:\users\Will\AppData\Roaming\cacaoweb\replicatingF78E35DB1FD8BB23F22C911FEFB0FB6D.cacao

c:\users\Will\AppData\Roaming\cacaoweb\storage.db

c:\users\Will\AppData\Roaming\FREEzeFrog

c:\users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore

c:\users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk

c:\users\Will\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk

c:\users\Will\lame_enc_en.dll

c:\users\Will\lametritonus_en.dll

c:\windows\7Loader.TAG

c:\windows\system32\dstfixx.dll

c:\windows\system32\gxvxccount

c:\windows\system32\ntkrlICE.exe

c:\windows\system32\scvideo.dll

c:\windows\system32\spool\prtprocs\w32x86\WFXPNT40.DLL

c:\windows\system32\wrdivin.dll

D:\resycled

.

.

((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))

.

.

2011-11-14 10:56 . 2011-11-14 10:56 -------- d-----w- c:\users\Will\AppData\Roaming\Yahoo!

2011-11-13 18:19 . 2011-11-13 18:19 -------- d-----w- c:\windows\Profiles\All Users\Application Data\Yahoo!

2011-11-13 00:20 . 2011-11-13 00:20 -------- d-----w- c:\program files\Avanquest update

2011-11-13 00:18 . 2011-11-13 00:18 -------- d-----w- c:\users\Will\AppData\Local\BVRP Software

2011-11-12 23:59 . 2011-11-13 00:39 -------- d-----w- c:\program files\Motorola Phone Tools

2011-11-12 23:57 . 2011-11-12 23:57 -------- d-----w- c:\users\Will\AppData\Roaming\InstallShield

2011-11-10 02:30 . 2011-11-10 02:30 -------- d-----w- c:\program files\Replay Video Capture

2011-11-08 23:12 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-08 23:12 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-08 23:12 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys

2011-11-07 23:58 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-11-07 23:53 . 2011-02-23 04:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-10-24 21:27 . 2011-10-24 21:31 -------- d-----w- c:\users\Will\AppData\Roaming\GetRightToGo

2011-10-23 22:18 . 2011-10-23 22:18 -------- d-----w- c:\users\Will\AppData\Local\Babylon

2011-10-23 22:18 . 2011-10-24 02:07 -------- d-----w- c:\program files\Easy Downloads

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-13 18:20 . 2011-06-11 21:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 07:50 . 2010-04-17 01:02 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-31 22:00 . 2009-10-14 17:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2007-03-09 07:12 27648 --sha-w- c:\windows\System32\AVSredirect.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-13 4617600]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceRunOnStartMenu"= 1 (0x1)

"QuickLaunchEnabled"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-01 113024]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-12-17 09:55 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-08-31 22:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2011-08-22 06:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-11-10 08:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2011-07-28 22:49 336384 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-05-04 17:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2011-08-25 11:13 2816328 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R1 MpKslb8f1bfd9;MpKslb8f1bfd9;c:\windows\system32\MpEngineStore\MpKslb8f1bfd9.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-06-15 45440]

R3 cpuz134;cpuz134;c:\users\Will\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]

R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]

R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]

R3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\cur_serd.sys [2005-07-19 73152]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-08-26 14216]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-09-16 8456]

R3 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]

R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-06-15 56960]

R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\DRIVERS\usbscan.sys [2009-07-14 35840]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

R4 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-03 691696]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-09-01 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-09-01 67664]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-01 116608]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-28 176128]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-07-28 291840]

S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [2011-06-24 39424]

S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2009-08-13 594600]

S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2009-08-13 98984]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-28 8396800]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-28 247296]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-06-06 211984]

S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-04-26 322848]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - ppsio2

*Deregistered* - SASENUM

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc

HsfXAudioService REG_MULTI_SZ HsfXAudioService

LPDService REG_MULTI_SZ LPDSVC

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://yeppo.net

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: {{7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - c:\program files\UAPick\UABtn.dll

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=ce25f49a00000000000000ff031509b7&tlver=1.4.35.10&affID=100842

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

FF - Ext: vShare Plugin: vshareus@toolbar - %profile%\extensions\vshareus@toolbar

FF - Ext: OpenDownload²: {210249CE-F888-11DD-B868-4CB456D89593} - %profile%\extensions\{210249CE-F888-11DD-B868-4CB456D89593}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: IE Tab +: coralietab@mozdev.org - %profile%\extensions\coralietab@mozdev.org

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Will\AppData\Roaming\Move Networks

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-cacaoweb - c:\users\Will\AppData\Roaming\cacaoweb\cacaoweb.exe

ShellExecuteHooks-{A213B520-C6C2-11d0-AF9D-008029E1027E} - (no file)

SafeBoot-klmdb.sys

MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe

MSConfigStartUp-ATICustomerCare - c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

MSConfigStartUp-HPYpbHtCoK - c:\programdata\HPYpbHtCoK.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-TkBellExe - c:\program files\Real\RealPlayer\update\realsched.exe

MSConfigStartUp-wminit - c:\program files\Common Files\System\wminit.exe

AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil10x_Plugin.exe

AddRemove-Custody X Change_is1 - c:\program files\Custody X Change\unins000.exe

AddRemove-Replay_Converter_1 - c:\windows\iun6002.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

"DisplayName"=expand:"@fdeploy.dll,-261"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"DisplayName"=expand:"@%SystemRoot%\\System32\\dskquota.dll,-100"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"%SystemRoot%\\System32\\dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"DisplayName"=expand:"@gptext.dll,-201"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]

@DACL=(02 0000)

@="Remote Desktop USB Redirection"

"DllName"=expand:"%SystemRoot%\\System32\\TsUsbRedirectionGroupPolicyExtension.dll"

"RequiresSuccessfulRegistry"=dword:00000001

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"NoGPOListChanges"=dword:00000001

"NoUserPolicy"=dword:00000001

"DisplayName"=expand:"@%SystemRoot%\\System32\\TsUsbRedirectionGroupPolicyExtension.dll,-100"

"NoBackgroundPolicy"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]

@DACL=(02 0000)

@="Windows Search Group Policy Extension"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"

"RequiresSuccessfulRegistry"=dword:00000001

"NoSlowLink"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoUserPolicy"=dword:00000000

"NoMachinePolicy"=dword:00000000

"PerUserLocalSettings"=dword:00000000

"EnableAsynchronousProcessing"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]

@DACL=(02 0000)

@="Deployed Printer Connections"

"DisplayName"=expand:"@%systemroot%\\system32\\gpprnext.dll,-1"

"DllName"=expand:"%systemroot%\\system32\\gpprnext.dll"

"EnableAsynchronousProcessing"=dword:00000001

"ExtensionEventSource"=""

"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"

"MaxNoGPOListChangesInterval"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000001

"NotifyLinkTransition"=dword:00000000

"NoUserPolicy"=dword:00000000

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="PrinterProcessGroupPolicy"

"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"

"RequiresSuccessfulRegistry"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]

@DACL=(02 0000)

@="TCPIP"

"DisplayName"=expand:"@gptext.dll,-204"

"ProcessGroupPolicy"="ProcessTCPIPPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"

"GenerateGroupPolicy"="GenerateIPSECPolicy"

"DllName"=expand:"%SystemRoot%\\System32\\polstore.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000000

"DisplayName"=expand:"@c:\\Windows\\system32\\polstore.dll,-5012"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]

@DACL=(02 0000)

@="Audit Policy Configuration"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"DllName"=expand:"auditcse.dll"

"NoUserPolicy"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

"ForceRefreshFG"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]

@DACL=(02 0000)

@="Enterprise QoS"

"DisplayName"=expand:"@gptext.dll,-203"

"ProcessGroupPolicy"="ProcessEQoSPolicy"

"DllName"=expand:"gptext.dll"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]

@DACL=(02 0000)

@="CP"

"DisplayName"=expand:"@gptext.dll,-205"

"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx]

@DACL=(02 0000)

"DllName"=expand:"dstfixx.dll"

"Startup"="dstfixx\00op"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"stdmemr"=hex:f8,ef,dc,47,e1,bf,73,1f,47

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin]

@DACL=(02 0000)

"DllName"=expand:"wrdivin.dll"

"Startup"="wrdivin\00op"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"rrtguid3"=hex:d4,fa,fe,ce,53,eb,fb,3b,ce

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-11-15 20:08:56

ComboFix-quarantined-files.txt 2011-11-16 01:08

.

Pre-Run: 370,144,346,112 bytes free

Post-Run: 370,407,874,560 bytes free

.

- - End Of File - - D1924384F1E35C9A267106F6DEAFCA99

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

FireFox::
FF - ProfilePath - c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=ce25f49a00000000000000ff031509b7&tlver=1.4.35.10&affID=100842
FF - Ext: vShare Plugin: vshareus@toolbar - %profile%\extensions\vshareus@toolbar

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next post here, please include ComboFix.txt and let me know how are things there.

Link to post
Share on other sites

ComboFix 11-11-15.06 - Will 11/16/2011 4:50.2.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.2164 [GMT -5:00]

Running from: c:\users\Will\Desktop\ComboFix.exe

Command switches used :: c:\users\Will\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Will\AppData\Roaming\cacaoweb

c:\users\Will\AppData\Roaming\cacaoweb\cacaoweb.exe

c:\users\Will\AppData\Roaming\cacaoweb\npdfile.dat

c:\users\Will\AppData\Roaming\cacaoweb\replicatingD4281282805D64DB67D35A797F69CEAE.cacao

c:\users\Will\AppData\Roaming\cacaoweb\storage.db

c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\extensions\vshareus@toolbar

c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\extensions\vshareus@toolbar\chrome.manifest

c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\extensions\vshareus@toolbar\chrome\vshareus.jar

c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\extensions\vshareus@toolbar\install.rdf

.

.

((((((((((((((((((((((((( Files Created from 2011-10-16 to 2011-11-16 )))))))))))))))))))))))))))))))

.

.

2011-11-16 09:55 . 2011-11-16 09:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-11-16 09:55 . 2011-11-16 09:55 -------- d-----w- c:\users\SYSTEM\AppData\Local\temp

2011-11-16 09:55 . 2011-11-16 09:55 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-16 09:55 . 2011-11-16 09:55 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp

2011-11-16 01:17 . 2011-11-16 01:16 607260 ----a-w- c:\program files\dds.scr

2011-11-14 10:56 . 2011-11-14 10:56 -------- d-----w- c:\users\Will\AppData\Roaming\Yahoo!

2011-11-13 18:19 . 2011-11-13 18:19 -------- d-----w- c:\windows\Profiles\All Users\Application Data\Yahoo!

2011-11-13 00:20 . 2011-11-13 00:20 -------- d-----w- c:\program files\Avanquest update

2011-11-13 00:18 . 2011-11-13 00:18 -------- d-----w- c:\users\Will\AppData\Local\BVRP Software

2011-11-12 23:59 . 2011-11-13 00:39 -------- d-----w- c:\program files\Motorola Phone Tools

2011-11-12 23:57 . 2011-11-12 23:57 -------- d-----w- c:\users\Will\AppData\Roaming\InstallShield

2011-11-10 02:30 . 2011-11-10 02:30 -------- d-----w- c:\program files\Replay Video Capture

2011-11-08 23:12 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-08 23:12 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-08 23:12 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys

2011-11-07 23:58 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-11-07 23:53 . 2011-02-23 04:47 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-10-24 21:27 . 2011-10-24 21:31 -------- d-----w- c:\users\Will\AppData\Roaming\GetRightToGo

2011-10-23 22:18 . 2011-10-23 22:18 -------- d-----w- c:\users\Will\AppData\Local\Babylon

2011-10-23 22:18 . 2011-10-24 02:07 -------- d-----w- c:\program files\Easy Downloads

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-13 18:20 . 2011-06-11 21:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 07:50 . 2010-04-17 01:02 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-31 22:00 . 2009-10-14 17:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2007-03-09 07:12 27648 --sha-w- c:\windows\System32\AVSredirect.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-13 4617600]

"cacaoweb"="c:\users\Will\AppData\Roaming\cacaoweb\cacaoweb.exe" [bU]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceRunOnStartMenu"= 1 (0x1)

"QuickLaunchEnabled"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-01 113024]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

2007-12-17 09:55 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-08-31 22:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2011-08-22 06:18 6276408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2010-11-10 08:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2011-07-28 22:49 336384 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-05-04 17:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2011-08-25 11:13 2816328 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

.

R1 MpKslb8f1bfd9;MpKslb8f1bfd9;c:\windows\system32\MpEngineStore\MpKslb8f1bfd9.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-06-15 45440]

R3 cpuz134;cpuz134;c:\users\Will\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]

R3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\cur_bus.sys [2005-07-19 57744]

R3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\DRIVERS\cur_mdfl.sys [2005-07-19 8336]

R3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\DRIVERS\cur_mdm.sys [2005-07-19 93328]

R3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\cur_serd.sys [2005-07-19 73152]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-08-26 14216]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-09-16 8456]

R3 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]

R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]

R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-06-15 56960]

R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\DRIVERS\usbscan.sys [2009-07-14 35840]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

R4 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-03 691696]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-09-01 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-09-01 67664]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-01 116608]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-07-28 176128]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-07-28 291840]

S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [2011-06-24 39424]

S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2009-08-13 594600]

S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2009-08-13 98984]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-07-28 8396800]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-07-28 247296]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-06-06 211984]

S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-04-26 322848]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - ppsio2

*Deregistered* - SASENUM

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc

HsfXAudioService REG_MULTI_SZ HsfXAudioService

LPDService REG_MULTI_SZ LPDSVC

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://yeppo.net

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: {{7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - c:\program files\UAPick\UABtn.dll

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\mhl1biwx.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

FF - Ext: OpenDownload²: {210249CE-F888-11DD-B868-4CB456D89593} - %profile%\extensions\{210249CE-F888-11DD-B868-4CB456D89593}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: IE Tab +: coralietab@mozdev.org - %profile%\extensions\coralietab@mozdev.org

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Will\AppData\Roaming\Move Networks

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]

@DACL=(02 0000)

@="Folder Redirection"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"DllName"=expand:"fdeploy.dll"

"NoMachinePolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"NoGPOListChanges"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"GenerateGroupPolicy"="GenerateGroupPolicy"

"EventSources"=multi:"(Folder Redirection,Application)\00\00"

"DisplayName"=expand:"@fdeploy.dll,-261"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"DisplayName"=expand:"@%SystemRoot%\\System32\\dskquota.dll,-100"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"%SystemRoot%\\System32\\dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]

@DACL=(02 0000)

@="QoS Packet Scheduler"

"DisplayName"=expand:"@gptext.dll,-201"

"ProcessGroupPolicy"="ProcessPSCHEDPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}]

@DACL=(02 0000)

@="Remote Desktop USB Redirection"

"DllName"=expand:"%SystemRoot%\\System32\\TsUsbRedirectionGroupPolicyExtension.dll"

"RequiresSuccessfulRegistry"=dword:00000001

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"NoGPOListChanges"=dword:00000001

"NoUserPolicy"=dword:00000001

"DisplayName"=expand:"@%SystemRoot%\\System32\\TsUsbRedirectionGroupPolicyExtension.dll,-100"

"NoBackgroundPolicy"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}]

@DACL=(02 0000)

@="Windows Search Group Policy Extension"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"=expand:"%SystemRoot%\\System32\\srchadmin.dll"

"RequiresSuccessfulRegistry"=dword:00000001

"NoSlowLink"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoUserPolicy"=dword:00000000

"NoMachinePolicy"=dword:00000000

"PerUserLocalSettings"=dword:00000000

"EnableAsynchronousProcessing"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}]

@DACL=(02 0000)

@="Deployed Printer Connections"

"DisplayName"=expand:"@%systemroot%\\system32\\gpprnext.dll,-1"

"DllName"=expand:"%systemroot%\\system32\\gpprnext.dll"

"EnableAsynchronousProcessing"=dword:00000001

"ExtensionEventSource"=""

"GenerateGroupPolicy"="PrinterGenerateGroupPolicy"

"MaxNoGPOListChangesInterval"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000001

"NotifyLinkTransition"=dword:00000000

"NoUserPolicy"=dword:00000000

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="PrinterProcessGroupPolicy"

"ProcessGroupPolicyEx"="PrinterProcessGroupPolicyEx"

"RequiresSuccessfulRegistry"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}]

@DACL=(02 0000)

@="TCPIP"

"DisplayName"=expand:"@gptext.dll,-204"

"ProcessGroupPolicy"="ProcessTCPIPPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]

@DACL=(02 0000)

@="IP Security"

"ProcessGroupPolicyEx"="ProcessIPSECPolicyEx"

"GenerateGroupPolicy"="GenerateIPSECPolicy"

"DllName"=expand:"%SystemRoot%\\System32\\polstore.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000000

"DisplayName"=expand:"@c:\\Windows\\system32\\polstore.dll,-5012"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}]

@DACL=(02 0000)

@="Audit Policy Configuration"

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"DllName"=expand:"auditcse.dll"

"NoUserPolicy"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

"ForceRefreshFG"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}]

@DACL=(02 0000)

@="Enterprise QoS"

"DisplayName"=expand:"@gptext.dll,-203"

"ProcessGroupPolicy"="ProcessEQoSPolicy"

"DllName"=expand:"gptext.dll"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}]

@DACL=(02 0000)

@="CP"

"DisplayName"=expand:"@gptext.dll,-205"

"ProcessGroupPolicy"="ProcessConnectivityPlatformPolicy"

"DllName"=expand:"gptext.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx]

@DACL=(02 0000)

"DllName"=expand:"dstfixx.dll"

"Startup"="dstfixx\00op"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"stdmemr"=hex:f8,ef,dc,47,e1,bf,73,1f,47

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin]

@DACL=(02 0000)

"DllName"=expand:"wrdivin.dll"

"Startup"="wrdivin\00op"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"rrtguid3"=hex:d4,fa,fe,ce,53,eb,fb,3b,ce

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-11-16 04:57:29

ComboFix-quarantined-files.txt 2011-11-16 09:57

ComboFix2.txt 2011-11-16 01:08

.

Pre-Run: 371,033,206,784 bytes free

Post-Run: 370,760,269,824 bytes free

.

- - End Of File - - 91073538900C4244E964A421E6D2729B

Link to post
Share on other sites

It doesn't seem to like Cacaoweb, does it? So far no problems execept that IE9 and Yahoo Messenger seems to still take a long time to connect to the internet. Firefox connects just fine and the system connects to the network just fine at start up. So I don't know what the deal is with IE and Yahoo Messenger.

Link to post
Share on other sites

Cacaoweb is a legitimate application, so if you have any problem with it, just let me know.

Please locate the following folders and manually delete them:

c:\users\Will\AppData\Roaming\GetRightToGo

c:\users\Will\AppData\Local\Babylon

c:\program files\Easy Downloads

Now:

Download the latest version of TDSSKiller from here and save it to your Desktop.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg
  7. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

In your next reply, please post the following log files:

  • TDSSKiller log
  • a new fresh DDS log only

Link to post
Share on other sites

17:54:56.0961 2480 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50

17:54:57.0398 2480 ============================================================

17:54:57.0399 2480 Current date / time: 2011/11/16 17:54:57.0398

17:54:57.0399 2480 SystemInfo:

17:54:57.0399 2480

17:54:57.0399 2480 OS Version: 6.1.7601 ServicePack: 1.0

17:54:57.0399 2480 Product type: Workstation

17:54:57.0399 2480 ComputerName: HOME

17:54:57.0399 2480 UserName: Will

17:54:57.0399 2480 Windows directory: C:\Windows

17:54:57.0399 2480 System windows directory: C:\Windows

17:54:57.0399 2480 Processor architecture: Intel x86

17:54:57.0399 2480 Number of processors: 4

17:54:57.0399 2480 Page size: 0x1000

17:54:57.0399 2480 Boot type: Normal boot

17:54:57.0399 2480 ============================================================

17:54:58.0511 2480 Initialize success

17:55:00.0209 0364 ============================================================

17:55:00.0209 0364 Scan started

17:55:00.0209 0364 Mode: Manual;

17:55:00.0209 0364 ============================================================

17:55:00.0515 0364 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys

17:55:00.0518 0364 1394ohci - ok

17:55:00.0544 0364 61883 (beb5e6a8c17c3c7485563281e0f9e77e) C:\Windows\system32\DRIVERS\61883.sys

17:55:00.0545 0364 61883 - ok

17:55:00.0588 0364 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys

17:55:00.0590 0364 ACPI - ok

17:55:00.0624 0364 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys

17:55:00.0624 0364 AcpiPmi - ok

17:55:00.0679 0364 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys

17:55:00.0686 0364 adp94xx - ok

17:55:00.0732 0364 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys

17:55:00.0736 0364 adpahci - ok

17:55:00.0783 0364 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys

17:55:00.0786 0364 adpu320 - ok

17:55:00.0853 0364 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys

17:55:00.0855 0364 AFD - ok

17:55:00.0916 0364 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys

17:55:00.0917 0364 agp440 - ok

17:55:00.0967 0364 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys

17:55:00.0969 0364 aic78xx - ok

17:55:01.0006 0364 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys

17:55:01.0007 0364 aliide - ok

17:55:01.0064 0364 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys

17:55:01.0066 0364 amdagp - ok

17:55:01.0120 0364 amdide (f12456ad77b1c32d8c5ca51927872850) C:\Windows\system32\DRIVERS\amdide.sys

17:55:01.0121 0364 amdide - ok

17:55:01.0208 0364 amdiox86 (ff258424f0b2ef25eb98f04ee386e6e3) C:\Windows\system32\DRIVERS\amdiox86.sys

17:55:01.0210 0364 amdiox86 - ok

17:55:01.0264 0364 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys

17:55:01.0266 0364 AmdK8 - ok

17:55:01.0479 0364 amdkmdag (68d791d78454684340433e52059eb45e) C:\Windows\system32\DRIVERS\atikmdag.sys

17:55:01.0698 0364 amdkmdag - ok

17:55:01.0745 0364 amdkmdap (96cd7053a516c30e61a05df9757da7de) C:\Windows\system32\DRIVERS\atikmpag.sys

17:55:01.0750 0364 amdkmdap - ok

17:55:01.0794 0364 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys

17:55:01.0795 0364 AmdPPM - ok

17:55:01.0838 0364 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys

17:55:01.0840 0364 amdsata - ok

17:55:01.0885 0364 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys

17:55:01.0889 0364 amdsbs - ok

17:55:01.0961 0364 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys

17:55:01.0962 0364 amdxata - ok

17:55:02.0071 0364 AODDriver4.01 (62b03afe5cc83bacf064848daa295d9c) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys

17:55:02.0073 0364 AODDriver4.01 - ok

17:55:02.0195 0364 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys

17:55:02.0197 0364 AppID - ok

17:55:02.0269 0364 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys

17:55:02.0271 0364 arc - ok

17:55:02.0301 0364 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys

17:55:02.0303 0364 arcsas - ok

17:55:02.0348 0364 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys

17:55:02.0349 0364 AsyncMac - ok

17:55:02.0396 0364 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys

17:55:02.0397 0364 atapi - ok

17:55:02.0447 0364 AtiHDAudioService (84faf3d287d56d210f84db7c1349d43b) C:\Windows\system32\drivers\AtihdW73.sys

17:55:02.0451 0364 AtiHDAudioService - ok

17:55:02.0476 0364 AtiHdmiService (e2398389648b5d44dc63ca43fdd5b3f8) C:\Windows\system32\drivers\AtiHdmi.sys

17:55:02.0478 0364 AtiHdmiService - ok

17:55:02.0669 0364 atikmdag (68d791d78454684340433e52059eb45e) C:\Windows\system32\DRIVERS\atikmdag.sys

17:55:02.0731 0364 atikmdag - ok

17:55:02.0824 0364 AtiPcie (5a1465ad2e7c1bc39cda12a355329096) C:\Windows\system32\DRIVERS\AtiPcie.sys

17:55:02.0825 0364 AtiPcie - ok

17:55:02.0897 0364 Avc (c44bdd77e06053cf5afe046f3a47c16b) C:\Windows\system32\DRIVERS\avc.sys

17:55:02.0898 0364 Avc - ok

17:55:02.0957 0364 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys

17:55:02.0963 0364 b06bdrv - ok

17:55:02.0988 0364 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys

17:55:02.0992 0364 b57nd60x - ok

17:55:03.0076 0364 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys

17:55:03.0077 0364 Beep - ok

17:55:03.0123 0364 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys

17:55:03.0124 0364 blbdrive - ok

17:55:03.0158 0364 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys

17:55:03.0160 0364 bowser - ok

17:55:03.0200 0364 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys

17:55:03.0201 0364 BrFiltLo - ok

17:55:03.0236 0364 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys

17:55:03.0236 0364 BrFiltUp - ok

17:55:03.0272 0364 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys

17:55:03.0277 0364 Brserid - ok

17:55:03.0320 0364 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys

17:55:03.0322 0364 BrSerWdm - ok

17:55:03.0382 0364 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys

17:55:03.0383 0364 BrUsbMdm - ok

17:55:03.0410 0364 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys

17:55:03.0410 0364 BrUsbSer - ok

17:55:03.0430 0364 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys

17:55:03.0432 0364 BTHMODEM - ok

17:55:03.0545 0364 catchme - ok

17:55:03.0667 0364 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys

17:55:03.0669 0364 cdfs - ok

17:55:03.0712 0364 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys

17:55:03.0713 0364 cdrom - ok

17:55:03.0803 0364 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys

17:55:03.0805 0364 circlass - ok

17:55:04.0009 0364 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys

17:55:04.0014 0364 CLFS - ok

17:55:04.0121 0364 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys

17:55:04.0122 0364 CmBatt - ok

17:55:04.0197 0364 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys

17:55:04.0198 0364 cmdide - ok

17:55:04.0252 0364 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys

17:55:04.0257 0364 CNG - ok

17:55:04.0294 0364 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys

17:55:04.0295 0364 Compbatt - ok

17:55:04.0344 0364 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys

17:55:04.0345 0364 CompositeBus - ok

17:55:04.0453 0364 cpuz134 - ok

17:55:04.0558 0364 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys

17:55:04.0560 0364 crcdisk - ok

17:55:04.0651 0364 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys

17:55:04.0656 0364 CSC - ok

17:55:04.0738 0364 cur_bus (7f11342c2682b40901952cec4f928d22) C:\Windows\system32\DRIVERS\cur_bus.sys

17:55:04.0740 0364 cur_bus - ok

17:55:04.0792 0364 cur_mdfl (9f325f5b5ab0bf859f1a8a57fe562c5f) C:\Windows\system32\DRIVERS\cur_mdfl.sys

17:55:04.0793 0364 cur_mdfl - ok

17:55:04.0848 0364 cur_mdm (6374dc15a2722c7d3441e018f151a852) C:\Windows\system32\DRIVERS\cur_mdm.sys

17:55:04.0850 0364 cur_mdm - ok

17:55:04.0905 0364 cur_serd (28b374cc0efa3c3149a3e34b18275a8b) C:\Windows\system32\DRIVERS\cur_serd.sys

17:55:04.0907 0364 cur_serd - ok

17:55:04.0968 0364 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys

17:55:04.0970 0364 DfsC - ok

17:55:05.0030 0364 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys

17:55:05.0032 0364 discache - ok

17:55:05.0066 0364 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys

17:55:05.0068 0364 Disk - ok

17:55:05.0128 0364 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys

17:55:05.0130 0364 drmkaud - ok

17:55:05.0186 0364 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys

17:55:05.0196 0364 DXGKrnl - ok

17:55:05.0298 0364 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys

17:55:05.0393 0364 ebdrv - ok

17:55:05.0426 0364 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys

17:55:05.0432 0364 elxstor - ok

17:55:05.0463 0364 epmntdrv (539ca34fbc74ec366a0d751028c32a08) C:\Windows\system32\epmntdrv.sys

17:55:05.0465 0364 epmntdrv - ok

17:55:05.0506 0364 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys

17:55:05.0507 0364 ErrDev - ok

17:55:05.0545 0364 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\Windows\system32\EuGdiDrv.sys

17:55:05.0547 0364 EuGdiDrv - ok

17:55:05.0612 0364 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys

17:55:05.0615 0364 exfat - ok

17:55:05.0651 0364 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys

17:55:05.0655 0364 fastfat - ok

17:55:05.0680 0364 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys

17:55:05.0681 0364 fdc - ok

17:55:05.0726 0364 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys

17:55:05.0729 0364 FileInfo - ok

17:55:05.0765 0364 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys

17:55:05.0767 0364 Filetrace - ok

17:55:05.0802 0364 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys

17:55:05.0804 0364 flpydisk - ok

17:55:05.0833 0364 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys

17:55:05.0837 0364 FltMgr - ok

17:55:05.0880 0364 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys

17:55:05.0882 0364 FsDepends - ok

17:55:05.0912 0364 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys

17:55:05.0914 0364 Fs_Rec - ok

17:55:05.0952 0364 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys

17:55:05.0955 0364 fvevol - ok

17:55:06.0004 0364 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys

17:55:06.0006 0364 gagp30kx - ok

17:55:06.0025 0364 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys

17:55:06.0027 0364 hcw85cir - ok

17:55:06.0077 0364 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys

17:55:06.0082 0364 HdAudAddService - ok

17:55:06.0148 0364 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys

17:55:06.0150 0364 HDAudBus - ok

17:55:06.0187 0364 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys

17:55:06.0189 0364 HidBatt - ok

17:55:06.0214 0364 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys

17:55:06.0216 0364 HidBth - ok

17:55:06.0270 0364 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys

17:55:06.0273 0364 HidIr - ok

17:55:06.0346 0364 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys

17:55:06.0348 0364 HidUsb - ok

17:55:06.0388 0364 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys

17:55:06.0390 0364 HpSAMD - ok

17:55:06.0440 0364 HSF_DPV (227c3ba25012752bb7450235392c719f) C:\Windows\system32\DRIVERS\HSX_DPV.sys

17:55:06.0466 0364 HSF_DPV - ok

17:55:06.0549 0364 HSXHWBS2 (186c11d0ca0e53b1ee266633b9d8b393) C:\Windows\system32\DRIVERS\HSXHWBS2.sys

17:55:06.0554 0364 HSXHWBS2 - ok

17:55:06.0643 0364 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys

17:55:06.0659 0364 HTTP - ok

17:55:06.0745 0364 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys

17:55:06.0746 0364 hwpolicy - ok

17:55:06.0809 0364 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys

17:55:06.0811 0364 i8042prt - ok

17:55:06.0847 0364 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys

17:55:06.0853 0364 iaStorV - ok

17:55:06.0931 0364 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys

17:55:06.0933 0364 iirsp - ok

17:55:07.0013 0364 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys

17:55:07.0014 0364 int15 - ok

17:55:07.0039 0364 IntcAzAudAddService - ok

17:55:07.0086 0364 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys

17:55:07.0087 0364 intelide - ok

17:55:07.0148 0364 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys

17:55:07.0150 0364 intelppm - ok

17:55:07.0206 0364 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys

17:55:07.0208 0364 IpFilterDriver - ok

17:55:07.0247 0364 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys

17:55:07.0249 0364 IPMIDRV - ok

17:55:07.0276 0364 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys

17:55:07.0278 0364 IPNAT - ok

17:55:07.0311 0364 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys

17:55:07.0312 0364 IRENUM - ok

17:55:07.0363 0364 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys

17:55:07.0365 0364 isapnp - ok

17:55:07.0404 0364 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys

17:55:07.0408 0364 iScsiPrt - ok

17:55:07.0466 0364 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys

17:55:07.0468 0364 kbdclass - ok

17:55:07.0508 0364 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys

17:55:07.0509 0364 kbdhid - ok

17:55:07.0548 0364 KMWDFILTERx86 (4476fe98aaf505acdcd3ee6360aabec1) C:\Windows\system32\DRIVERS\KMWDFILTER.sys

17:55:07.0549 0364 KMWDFILTERx86 - ok

17:55:07.0579 0364 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys

17:55:07.0581 0364 KSecDD - ok

17:55:07.0619 0364 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys

17:55:07.0622 0364 KSecPkg - ok

17:55:07.0671 0364 LHidFlt2 (03976c309ede05d39017c05b817cd94f) C:\Windows\system32\DRIVERS\LHidFlt2.Sys

17:55:07.0673 0364 LHidFlt2 - ok

17:55:07.0705 0364 LMouFlt2 (26407519fca64ec4091fe1f815b4afc4) C:\Windows\system32\DRIVERS\LMouFlt2.Sys

17:55:07.0708 0364 LMouFlt2 - ok

17:55:07.0754 0364 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys

17:55:07.0757 0364 LSI_FC - ok

17:55:07.0790 0364 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys

17:55:07.0792 0364 LSI_SAS - ok

17:55:07.0817 0364 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys

17:55:07.0820 0364 LSI_SAS2 - ok

17:55:07.0844 0364 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys

17:55:07.0847 0364 LSI_SCSI - ok

17:55:07.0868 0364 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys

17:55:07.0871 0364 luafv - ok

17:55:07.0948 0364 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\Windows\system32\drivers\mbam.sys

17:55:07.0950 0364 MBAMProtector - ok

17:55:08.0038 0364 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys

17:55:08.0040 0364 mcdbus - ok

17:55:08.0111 0364 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys

17:55:08.0112 0364 mdmxsdk - ok

17:55:08.0175 0364 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys

17:55:08.0177 0364 megasas - ok

17:55:08.0215 0364 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys

17:55:08.0220 0364 MegaSR - ok

17:55:08.0275 0364 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys

17:55:08.0277 0364 Modem - ok

17:55:08.0341 0364 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys

17:55:08.0342 0364 monitor - ok

17:55:08.0364 0364 motccgp - ok

17:55:08.0396 0364 motccgpfl - ok

17:55:08.0421 0364 MotDev - ok

17:55:08.0456 0364 motmodem - ok

17:55:08.0515 0364 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys

17:55:08.0517 0364 mouclass - ok

17:55:08.0550 0364 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys

17:55:08.0552 0364 mouhid - ok

17:55:08.0613 0364 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys

17:55:08.0614 0364 mountmgr - ok

17:55:08.0665 0364 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys

17:55:08.0668 0364 mpio - ok

17:55:08.0712 0364 MpKslb8f1bfd9 - ok

17:55:08.0761 0364 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys

17:55:08.0763 0364 mpsdrv - ok

17:55:08.0837 0364 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

17:55:08.0839 0364 MREMP50 - ok

17:55:08.0844 0364 MREMPR5 - ok

17:55:08.0852 0364 MRENDIS5 - ok

17:55:08.0869 0364 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

17:55:08.0870 0364 MRESP50 - ok

17:55:08.0991 0364 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys

17:55:08.0994 0364 MRxDAV - ok

17:55:09.0136 0364 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys

17:55:09.0140 0364 mrxsmb - ok

17:55:09.0236 0364 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys

17:55:09.0241 0364 mrxsmb10 - ok

17:55:09.0311 0364 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys

17:55:09.0314 0364 mrxsmb20 - ok

17:55:09.0408 0364 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys

17:55:09.0410 0364 msahci - ok

17:55:09.0475 0364 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys

17:55:09.0478 0364 msdsm - ok

17:55:09.0561 0364 MSDV (114b67c324d64c8195fd3bf93b4df02a) C:\Windows\system32\DRIVERS\msdv.sys

17:55:09.0563 0364 MSDV - ok

17:55:09.0635 0364 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys

17:55:09.0636 0364 Msfs - ok

17:55:09.0687 0364 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys

17:55:09.0689 0364 mshidkmdf - ok

17:55:09.0748 0364 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys

17:55:09.0749 0364 msisadrv - ok

17:55:09.0811 0364 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys

17:55:09.0813 0364 MSKSSRV - ok

17:55:09.0872 0364 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys

17:55:09.0873 0364 MSPCLOCK - ok

17:55:09.0914 0364 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys

17:55:09.0916 0364 MSPQM - ok

17:55:09.0985 0364 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys

17:55:09.0989 0364 MsRPC - ok

17:55:10.0057 0364 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys

17:55:10.0059 0364 mssmbios - ok

17:55:10.0086 0364 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys

17:55:10.0087 0364 MSTEE - ok

17:55:10.0107 0364 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys

17:55:10.0109 0364 MTConfig - ok

17:55:10.0155 0364 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys

17:55:10.0158 0364 Mup - ok

17:55:10.0199 0364 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys

17:55:10.0203 0364 NativeWifiP - ok

17:55:10.0250 0364 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys

17:55:10.0255 0364 NDIS - ok

17:55:10.0324 0364 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys

17:55:10.0326 0364 NdisCap - ok

17:55:10.0375 0364 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys

17:55:10.0377 0364 NdisTapi - ok

17:55:10.0441 0364 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys

17:55:10.0443 0364 Ndisuio - ok

17:55:10.0510 0364 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys

17:55:10.0513 0364 NdisWan - ok

17:55:10.0576 0364 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys

17:55:10.0578 0364 NDProxy - ok

17:55:10.0661 0364 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys

17:55:10.0663 0364 NetBIOS - ok

17:55:10.0738 0364 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys

17:55:10.0740 0364 NetBT - ok

17:55:10.0829 0364 NetworkX (9b18a38e44ab89d1af31720c0cb64127) C:\Windows\system32\ckldrv.sys

17:55:10.0830 0364 NetworkX - ok

17:55:10.0900 0364 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys

17:55:10.0902 0364 nfrd960 - ok

17:55:10.0967 0364 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys

17:55:10.0969 0364 NPF - ok

17:55:10.0998 0364 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys

17:55:11.0000 0364 Npfs - ok

17:55:11.0060 0364 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys

17:55:11.0060 0364 nsiproxy - ok

17:55:11.0149 0364 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys

17:55:11.0177 0364 Ntfs - ok

17:55:11.0208 0364 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys

17:55:11.0209 0364 Null - ok

17:55:11.0268 0364 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys

17:55:11.0271 0364 nvraid - ok

17:55:11.0305 0364 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys

17:55:11.0307 0364 nvstor - ok

17:55:11.0361 0364 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys

17:55:11.0363 0364 nv_agp - ok

17:55:11.0436 0364 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys

17:55:11.0438 0364 ohci1394 - ok

17:55:11.0510 0364 ousb2hub (5d3529e99b08dae7d93a1394ec37047f) C:\Windows\system32\DRIVERS\ousb2hub.sys

17:55:11.0511 0364 ousb2hub - ok

17:55:11.0538 0364 ousbehci (f04f275c341ad05fdd0f2a55e58273a8) C:\Windows\system32\Drivers\ousbehci.sys

17:55:11.0539 0364 ousbehci - ok

17:55:11.0609 0364 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys

17:55:11.0611 0364 Parport - ok

17:55:11.0671 0364 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys

17:55:11.0673 0364 partmgr - ok

17:55:11.0728 0364 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys

17:55:11.0729 0364 Parvdm - ok

17:55:11.0786 0364 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys

17:55:11.0787 0364 pci - ok

17:55:11.0815 0364 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys

17:55:11.0817 0364 pciide - ok

17:55:11.0871 0364 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys

17:55:11.0875 0364 pcmcia - ok

17:55:11.0937 0364 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys

17:55:11.0938 0364 pcw - ok

17:55:12.0010 0364 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys

17:55:12.0028 0364 PEAUTH - ok

17:55:12.0114 0364 pmxscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys

17:55:12.0116 0364 pmxscan - ok

17:55:12.0197 0364 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys

17:55:12.0199 0364 PptpMiniport - ok

17:55:12.0223 0364 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys

17:55:12.0225 0364 Processor - ok

17:55:12.0298 0364 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys

17:55:12.0333 0364 ql2300 - ok

17:55:12.0387 0364 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys

17:55:12.0390 0364 ql40xx - ok

17:55:12.0444 0364 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys

17:55:12.0446 0364 QWAVEdrv - ok

17:55:12.0478 0364 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys

17:55:12.0479 0364 RasAcd - ok

17:55:12.0521 0364 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys

17:55:12.0523 0364 RasAgileVpn - ok

17:55:12.0554 0364 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys

17:55:12.0556 0364 Rasl2tp - ok

17:55:12.0584 0364 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys

17:55:12.0587 0364 RasPppoe - ok

17:55:12.0603 0364 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys

17:55:12.0605 0364 RasSstp - ok

17:55:12.0643 0364 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys

17:55:12.0648 0364 rdbss - ok

17:55:12.0676 0364 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys

17:55:12.0677 0364 rdpbus - ok

17:55:12.0721 0364 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys

17:55:12.0722 0364 RDPCDD - ok

17:55:12.0778 0364 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys

17:55:12.0782 0364 RDPDR - ok

17:55:12.0840 0364 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys

17:55:12.0841 0364 RDPENCDD - ok

17:55:12.0874 0364 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys

17:55:12.0874 0364 RDPREFMP - ok

17:55:12.0925 0364 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys

17:55:12.0927 0364 RdpVideoMiniport - ok

17:55:13.0008 0364 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys

17:55:13.0011 0364 RDPWD - ok

17:55:13.0080 0364 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys

17:55:13.0084 0364 rdyboost - ok

17:55:13.0182 0364 RTHDMIAzAudService (d82223ba9dc7ed479b61be2b521fb6e6) C:\Windows\system32\drivers\RtHDMIV.sys

17:55:13.0185 0364 RTHDMIAzAudService - ok

17:55:13.0251 0364 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys

17:55:13.0252 0364 s3cap - ok

17:55:13.0348 0364 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

17:55:13.0349 0364 SASDIFSV - ok

17:55:13.0379 0364 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

17:55:13.0381 0364 SASKUTIL - ok

17:55:13.0489 0364 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys

17:55:13.0491 0364 sbp2port - ok

17:55:13.0555 0364 SCDEmu (612a3d69e603dbbe5c3c1079186a0393) C:\Windows\system32\drivers\SCDEmu.sys

17:55:13.0557 0364 SCDEmu - ok

17:55:13.0619 0364 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys

17:55:13.0620 0364 scfilter - ok

17:55:13.0699 0364 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

17:55:13.0700 0364 secdrv - ok

17:55:13.0755 0364 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys

17:55:13.0757 0364 Serenum - ok

17:55:13.0795 0364 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys

17:55:13.0797 0364 Serial - ok

17:55:13.0854 0364 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys

17:55:13.0856 0364 sermouse - ok

17:55:13.0939 0364 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys

17:55:13.0941 0364 sffdisk - ok

17:55:13.0975 0364 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys

17:55:13.0976 0364 sffp_mmc - ok

17:55:14.0001 0364 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys

17:55:14.0002 0364 sffp_sd - ok

17:55:14.0033 0364 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys

17:55:14.0034 0364 sfloppy - ok

17:55:14.0128 0364 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys

17:55:14.0129 0364 sisagp - ok

17:55:14.0183 0364 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys

17:55:14.0184 0364 SiSRaid2 - ok

17:55:14.0208 0364 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys

17:55:14.0211 0364 SiSRaid4 - ok

17:55:14.0231 0364 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys

17:55:14.0233 0364 Smb - ok

17:55:14.0270 0364 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys

17:55:14.0272 0364 spldr - ok

17:55:14.0287 0364 SPLITCAM - ok

17:55:14.0385 0364 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys

17:55:14.0385 0364 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505

17:55:14.0390 0364 sptd ( LockedFile.Multi.Generic ) - warning

17:55:14.0391 0364 sptd - detected LockedFile.Multi.Generic (1)

17:55:14.0459 0364 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys

17:55:14.0465 0364 srv - ok

17:55:14.0524 0364 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys

17:55:14.0531 0364 srv2 - ok

17:55:14.0598 0364 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys

17:55:14.0601 0364 srvnet - ok

17:55:14.0694 0364 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys

17:55:14.0696 0364 stexstor - ok

17:55:14.0783 0364 STHDA (77b6fbe1df8d5b10ef97ee52e2cd1c39) C:\Windows\system32\DRIVERS\stwrt.sys

17:55:14.0789 0364 STHDA - ok

17:55:14.0876 0364 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys

17:55:14.0878 0364 storflt - ok

17:55:14.0925 0364 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys

17:55:14.0927 0364 storvsc - ok

17:55:14.0949 0364 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys

17:55:14.0950 0364 swenum - ok

17:55:14.0999 0364 Synth3dVsc - ok

17:55:15.0051 0364 tap0901 (c516b5cffb7c307fcb7df87d7d7fa200) C:\Windows\system32\DRIVERS\tap0901.sys

17:55:15.0052 0364 tap0901 - ok

17:55:15.0100 0364 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\Windows\system32\DRIVERS\taphss.sys

17:55:15.0101 0364 taphss - ok

17:55:15.0162 0364 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\Windows\system32\DRIVERS\tapvpn.sys

17:55:15.0163 0364 tapvpn - ok

17:55:15.0252 0364 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys

17:55:15.0287 0364 Tcpip - ok

17:55:15.0343 0364 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys

17:55:15.0353 0364 TCPIP6 - ok

17:55:15.0413 0364 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys

17:55:15.0415 0364 tcpipreg - ok

17:55:15.0463 0364 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys

17:55:15.0465 0364 TDPIPE - ok

17:55:15.0510 0364 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys

17:55:15.0512 0364 TDTCP - ok

17:55:15.0599 0364 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys

17:55:15.0601 0364 tdx - ok

17:55:15.0680 0364 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys

17:55:15.0682 0364 TermDD - ok

17:55:15.0782 0364 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys

17:55:15.0784 0364 tssecsrv - ok

17:55:15.0820 0364 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys

17:55:15.0823 0364 TsUsbFlt - ok

17:55:15.0837 0364 tsusbhub - ok

17:55:15.0881 0364 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys

17:55:15.0885 0364 tunnel - ok

17:55:15.0949 0364 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys

17:55:15.0950 0364 uagp35 - ok

17:55:15.0998 0364 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys

17:55:16.0003 0364 udfs - ok

17:55:16.0073 0364 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys

17:55:16.0076 0364 uliagpkx - ok

17:55:16.0139 0364 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys

17:55:16.0141 0364 umbus - ok

17:55:16.0194 0364 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys

17:55:16.0195 0364 UmPass - ok

17:55:16.0259 0364 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys

17:55:16.0262 0364 usbaudio - ok

17:55:16.0303 0364 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys

17:55:16.0305 0364 usbccgp - ok

17:55:16.0339 0364 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys

17:55:16.0342 0364 usbcir - ok

17:55:16.0406 0364 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys

17:55:16.0408 0364 usbehci - ok

17:55:16.0472 0364 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys

17:55:16.0476 0364 usbhub - ok

17:55:16.0518 0364 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\DRIVERS\usbohci.sys

17:55:16.0519 0364 usbohci - ok

17:55:16.0601 0364 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys

17:55:16.0602 0364 usbprint - ok

17:55:16.0645 0364 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys

17:55:16.0646 0364 usbscan - ok

17:55:16.0699 0364 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\drivers\USBSTOR.SYS

17:55:16.0700 0364 USBSTOR - ok

17:55:16.0742 0364 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys

17:55:16.0743 0364 usbuhci - ok

17:55:16.0787 0364 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys

17:55:16.0790 0364 usbvideo - ok

17:55:16.0881 0364 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys

17:55:16.0882 0364 vdrvroot - ok

17:55:16.0989 0364 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys

17:55:16.0991 0364 vga - ok

17:55:17.0034 0364 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys

17:55:17.0035 0364 VgaSave - ok

17:55:17.0065 0364 VGPU - ok

17:55:17.0139 0364 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys

17:55:17.0142 0364 vhdmp - ok

17:55:17.0203 0364 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys

17:55:17.0204 0364 viaagp - ok

17:55:17.0253 0364 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys

17:55:17.0255 0364 ViaC7 - ok

17:55:17.0293 0364 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys

17:55:17.0294 0364 viaide - ok

17:55:17.0338 0364 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys

17:55:17.0341 0364 vmbus - ok

17:55:17.0383 0364 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys

17:55:17.0385 0364 VMBusHID - ok

17:55:17.0421 0364 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys

17:55:17.0423 0364 volmgr - ok

17:55:17.0479 0364 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys

17:55:17.0481 0364 volmgrx - ok

17:55:17.0507 0364 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys

17:55:17.0512 0364 volsnap - ok

17:55:17.0556 0364 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys

17:55:17.0559 0364 vsmraid - ok

17:55:17.0605 0364 VSTHWBS2 (682fcf7d2eb5158cd30408e976562408) C:\Windows\system32\DRIVERS\VSTBS23.SYS

17:55:17.0610 0364 VSTHWBS2 - ok

17:55:17.0702 0364 VST_DPV (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS

17:55:17.0728 0364 VST_DPV - ok

17:55:17.0783 0364 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys

17:55:17.0785 0364 vwifibus - ok

17:55:17.0832 0364 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys

17:55:17.0834 0364 WacomPen - ok

17:55:17.0889 0364 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys

17:55:17.0891 0364 WANARP - ok

17:55:17.0899 0364 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys

17:55:17.0900 0364 Wanarpv6 - ok

17:55:17.0984 0364 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys

17:55:17.0985 0364 Wd - ok

17:55:18.0044 0364 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys

17:55:18.0053 0364 Wdf01000 - ok

17:55:18.0164 0364 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys

17:55:18.0166 0364 WfpLwf - ok

17:55:18.0199 0364 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys

17:55:18.0201 0364 WIMMount - ok

17:55:18.0251 0364 winachsf (8b976d4ca270110111df4f313da0e6e8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys

17:55:18.0277 0364 winachsf - ok

17:55:18.0421 0364 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys

17:55:18.0422 0364 WinUsb - ok

17:55:18.0491 0364 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys

17:55:18.0492 0364 WmiAcpi - ok

17:55:18.0601 0364 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys

17:55:18.0602 0364 ws2ifsl - ok

17:55:18.0708 0364 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys

17:55:18.0711 0364 WudfPf - ok

17:55:18.0794 0364 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys

17:55:18.0796 0364 WUDFRd - ok

17:55:18.0864 0364 XAudio (894f963be999ba9db5aac3aed55b115d) C:\Windows\system32\DRIVERS\XAudio32.sys

17:55:18.0865 0364 XAudio - ok

17:55:18.0940 0364 yukonw7 (21886ae871840739885a34e7f216afa7) C:\Windows\system32\DRIVERS\yk62x86.sys

17:55:18.0942 0364 yukonw7 - ok

17:55:18.0971 0364 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0

17:55:18.0983 0364 \Device\Harddisk0\DR0 - ok

17:55:18.0987 0364 Boot (0x1200) (aff578e752245dedf89a6448abac699e) \Device\Harddisk0\DR0\Partition0

17:55:18.0988 0364 \Device\Harddisk0\DR0\Partition0 - ok

17:55:19.0020 0364 Boot (0x1200) (2c6477e103471e4c7383e8c130bfbab0) \Device\Harddisk0\DR0\Partition1

17:55:19.0020 0364 \Device\Harddisk0\DR0\Partition1 - ok

17:55:19.0035 0364 Boot (0x1200) (11ac15e39d7116accc2a26b2c59e1786) \Device\Harddisk0\DR0\Partition2

17:55:19.0036 0364 \Device\Harddisk0\DR0\Partition2 - ok

17:55:19.0037 0364 ============================================================

17:55:19.0037 0364 Scan finished

17:55:19.0037 0364 ============================================================

17:55:19.0051 1720 Detected object count: 1

17:55:19.0051 1720 Actual detected object count: 1

17:55:29.0030 1720 sptd ( LockedFile.Multi.Generic ) - skipped by user

17:55:29.0030 1720 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.1.0

Run by Will at 17:58:48 on 2011-11-16

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.2100 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\crypserv.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdnserv.exe

C:\Windows\system32\lxdncoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://yeppo.net

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Set UA String (BHO): {3ce56db6-fcbe-4422-9454-63c354178985} - c:\program files\uapick\UABtn.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [cacaoweb] "c:\users\will\appdata\roaming\cacaoweb\cacaoweb.exe" -noplayer

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)

uPolicies-explorer: QuickLaunchEnabled = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - c:\program files\uapick\UABtn.dll

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{B2F02C79-8312-4F9E-8749-8F2F57392CB8} : DhcpNameServer = 192.168.1.254

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\will\appdata\roaming\mozilla\firefox\profiles\mhl1biwx.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\will\appdata\roaming\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\users\will\appdata\roaming\mozilla\firefox\profiles\mhl1biwx.default\extensions\coralietab@mozdev.org\plugins\npCoralIETab.dll

FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

FF - Ext: OpenDownload²: {210249CE-F888-11DD-B868-4CB456D89593} - %profile%\extensions\{210249CE-F888-11DD-B868-4CB456D89593}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: IE Tab +: coralietab@mozdev.org - %profile%\extensions\coralietab@mozdev.org

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\will\appdata\roaming\Move Networks

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-28 176128]

R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-7-28 291840]

R2 AODDriver4.01;AODDriver4.01;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2011-6-24 39424]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2009-8-13 98984]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-23 366152]

R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-1-8 37944]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-28 8396800]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-28 247296]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-6-6 211984]

R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\drivers\KMWDFILTER.sys [2009-4-29 25088]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-14 22216]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-7-15 322848]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2009-11-26 45440]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2005-7-19 57744]

S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2005-7-19 8336]

S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2005-7-19 93328]

S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2005-7-19 73152]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-1-4 14216]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-1-4 8456]

S3 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2009-11-26 56960]

S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2009-7-13 35840]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-5 15872]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]

S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]

S4 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]

.

=============== Created Last 30 ================

.

2011-11-16 09:57:32 -------- d-sh--w- C:\$RECYCLE.BIN

2011-11-16 01:17:00 607260 ------r- c:\program files\dds.scr

2011-11-16 00:57:36 98816 ----a-w- c:\windows\sed.exe

2011-11-16 00:57:36 518144 ----a-w- c:\windows\SWREG.exe

2011-11-16 00:57:36 256000 ----a-w- c:\windows\PEV.exe

2011-11-16 00:57:36 208896 ----a-w- c:\windows\MBR.exe

2011-11-13 00:20:00 -------- d-----w- c:\programdata\Avanquest

2011-11-13 00:20:00 -------- d-----w- c:\program files\Avanquest update

2011-11-13 00:18:45 -------- d-----w- c:\users\will\appdata\local\BVRP Software

2011-11-12 23:59:26 -------- d-----w- c:\program files\Motorola Phone Tools

2011-11-10 02:30:22 -------- d-----w- c:\program files\Replay Video Capture

2011-11-08 23:12:41 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-08 23:12:39 708608 ----a-w- c:\program files\common files\system\wab32.dll

2011-11-08 23:12:19 2341888 ----a-w- c:\windows\system32\win32k.sys

2011-11-07 23:58:58 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-11-07 23:53:54 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

.

==================== Find3M ====================

.

2011-11-13 18:20:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 07:50:34 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll

2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7601 Disk: ST3500830AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: >>UNKNOWN [0x83607000]<< >>UNKNOWN [0x8C2AA000]<< >>UNKNOWN [0x8C299000]<< >>UNKNOWN [0x84357000]<< >>UNKNOWN [0x83A19000]<< >>UNKNOWN [0x86E571F8]<<

_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x8363E52A] -> \Device\Harddisk0\DR0[0x86ECBAC8]

\Driver\Disk[0x86ED2460] -> IRP_MJ_CREATE -> 0x8C2AE39F

3 [0x8C2AE59E] -> ntkrnlpa!IofCallDriver[0x8363E52A] -> [0x870135B8]

\Driver\ACPI[0x861F37A8] -> IRP_MJ_CREATE -> 0x843604CC

5 [0x843603D4] -> ntkrnlpa!IofCallDriver[0x8363E52A] -> \Device\Ide\IdeDeviceP0T0L0-0[0x87018030]

\Driver\atapi[0x86E93F38] -> IRP_MJ_CREATE -> 0x86E571F8

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 17:59:36.65 ===============

Link to post
Share on other sites

Was I supposed to "fix" at some point? I didn't and now the option is greyed out.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-17 05:47:43

-----------------------------

05:47:43.003 OS Version: Windows 6.1.7601 Service Pack 1

05:47:43.003 Number of processors: 4 586 0x202

05:47:43.005 ComputerName: HOME UserName: Will

05:47:45.040 Initialize success

05:48:35.828 AVAST engine defs: 11111700

05:49:08.788 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

05:49:08.790 Disk 0 Vendor: ST3500830AS 3.AAD Size: 476940MB BusType: 3

05:49:10.806 Disk 0 MBR read successfully

05:49:10.808 Disk 0 MBR scan

05:49:10.813 Disk 0 Windows VISTA default MBR code

05:49:10.817 Disk 0 scanning sectors +956287837

05:49:10.888 Disk 0 scanning C:\Windows\system32\drivers

05:49:22.176 Service scanning

05:49:22.941 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32

05:49:23.509 Modules scanning

05:49:34.395 Disk 0 trace - called modules:

05:49:34.403 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86e571f8]<<

05:49:34.404 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ecbac8]

05:49:34.405 3 CLASSPNP.SYS[8c2ae59e] -> nt!IofCallDriver -> [0x870135b8]

05:49:34.405 5 ACPI.sys[843603d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x87018030]

05:49:34.406 \Driver\atapi[0x86e93f38] -> IRP_MJ_CREATE -> 0x86e571f8

05:49:35.638 AVAST engine scan C:\Windows

05:49:40.557 AVAST engine scan C:\Windows\system32

05:51:57.971 AVAST engine scan C:\Windows\system32\drivers

05:52:10.005 AVAST engine scan C:\Users\Will

05:59:25.124 File: C:\Users\Will\Downloads\Reimage - PC Repair Online Cracked Jan 2010.exe **INFECTED** Win32:Malware-gen

05:59:54.980 AVAST engine scan C:\ProgramData

06:00:49.294 Scan finished successfully

06:21:48.216 Disk 0 MBR has been saved successfully to "C:\Users\Will\Desktop\MBR.dat"

06:21:48.220 The log file has been saved successfully to "C:\Users\Will\Desktop\aswMBR.txt"

Link to post
Share on other sites

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.1.0

Run by Will at 17:13:20 on 2011-11-17

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.2144 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\crypserv.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdnserv.exe

C:\Windows\system32\lxdncoms.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://yeppo.net

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Set UA String (BHO): {3ce56db6-fcbe-4422-9454-63c354178985} - c:\program files\uapick\UABtn.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [cacaoweb] "c:\users\will\appdata\roaming\cacaoweb\cacaoweb.exe" -noplayer

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)

uPolicies-explorer: QuickLaunchEnabled = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {7CD59A63-0815-46D0-B474-2E5BCFCADD7C} - {1E866952-62EA-4161-B97D-4D228CEDF7A0} - c:\program files\uapick\UABtn.dll

Trusted Zone: motive.com\pattta.att

Trusted Zone: motive.com\patttbc.att

DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{B2F02C79-8312-4F9E-8749-8F2F57392CB8} : DhcpNameServer = 192.168.1.254

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\will\appdata\roaming\mozilla\firefox\profiles\mhl1biwx.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\will\appdata\roaming\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\users\will\appdata\roaming\mozilla\firefox\profiles\mhl1biwx.default\extensions\coralietab@mozdev.org\plugins\npCoralIETab.dll

FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

FF - Ext: OpenDownload²: {210249CE-F888-11DD-B868-4CB456D89593} - %profile%\extensions\{210249CE-F888-11DD-B868-4CB456D89593}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: IE Tab +: coralietab@mozdev.org - %profile%\extensions\coralietab@mozdev.org

FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\will\appdata\roaming\Move Networks

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-28 176128]

R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-7-28 291840]

R2 AODDriver4.01;AODDriver4.01;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2011-6-24 39424]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2009-8-13 98984]

R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-1-8 37944]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-7-28 8396800]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-7-28 247296]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2011-6-6 211984]

R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\drivers\KMWDFILTER.sys [2009-4-29 25088]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-14 22216]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-7-15 322848]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-23 366152]

S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2009-11-26 45440]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 cur_bus;Curitel USB Composite Device driver (WDM);c:\windows\system32\drivers\cur_bus.sys [2005-7-19 57744]

S3 cur_mdfl;Curitel Packet Service Filter;c:\windows\system32\drivers\cur_mdfl.sys [2005-7-19 8336]

S3 cur_mdm;Curitel Packet Service Drivers;c:\windows\system32\drivers\cur_mdm.sys [2005-7-19 93328]

S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);c:\windows\system32\drivers\cur_serd.sys [2005-7-19 73152]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-1-4 14216]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-1-4 8456]

S3 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2009-11-26 56960]

S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [2009-7-13 35840]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-5 15872]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-5 52224]

S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]

S4 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]

.

=============== Created Last 30 ================

.

2011-11-16 22:50:42 1564976 ----a-w- c:\program files\tdsskiller.exe

2011-11-16 09:57:32 -------- d-sh--w- C:\$RECYCLE.BIN

2011-11-16 09:49:09 4296444 ----a-r- c:\program files\ComboFix.exe

2011-11-16 01:17:00 607260 ------r- c:\program files\dds.scr

2011-11-16 00:57:36 98816 ----a-w- c:\windows\sed.exe

2011-11-16 00:57:36 518144 ----a-w- c:\windows\SWREG.exe

2011-11-16 00:57:36 256000 ----a-w- c:\windows\PEV.exe

2011-11-16 00:57:36 208896 ----a-w- c:\windows\MBR.exe

2011-11-13 00:20:00 -------- d-----w- c:\programdata\Avanquest

2011-11-13 00:20:00 -------- d-----w- c:\program files\Avanquest update

2011-11-13 00:18:45 -------- d-----w- c:\users\will\appdata\local\BVRP Software

2011-11-12 23:59:26 -------- d-----w- c:\program files\Motorola Phone Tools

2011-11-10 02:30:22 -------- d-----w- c:\program files\Replay Video Capture

2011-11-08 23:12:41 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-08 23:12:39 708608 ----a-w- c:\program files\common files\system\wab32.dll

2011-11-08 23:12:19 2341888 ----a-w- c:\windows\system32\win32k.sys

2011-11-07 23:58:58 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-11-07 23:53:54 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

.

==================== Find3M ====================

.

2011-11-13 18:20:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-03 07:50:34 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-27 04:26:27 233472 ----a-w- c:\windows\system32\oleacc.dll

2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7601 Disk: ST3500830AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: >>UNKNOWN [0x83607000]<< >>UNKNOWN [0x8C2AA000]<< >>UNKNOWN [0x8C299000]<< >>UNKNOWN [0x84357000]<< >>UNKNOWN [0x83A19000]<< >>UNKNOWN [0x86E571F8]<<

_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x8363E52A] -> \Device\Harddisk0\DR0[0x86ECBAC8]

\Driver\Disk[0x86ED2460] -> IRP_MJ_CREATE -> 0x8C2AE39F

3 [0x8C2AE59E] -> ntkrnlpa!IofCallDriver[0x8363E52A] -> [0x870135B8]

\Driver\ACPI[0x861F37A8] -> IRP_MJ_CREATE -> 0x843604CC

5 [0x843603D4] -> ntkrnlpa!IofCallDriver[0x8363E52A] -> \Device\Ide\IdeDeviceP0T0L0-0[0x87018030]

\Driver\atapi[0x86E93F38] -> IRP_MJ_CREATE -> 0x86E571F8

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 17:13:50.34 ===============

Link to post
Share on other sites

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      gmer_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-11-18 18:05:17

Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500830AS rev.3.AAD

Running: gmer.exe; Driver: C:\Users\Will\AppData\Local\Temp\pxldipow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 83685349 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 836BED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

? System32\Drivers\spex.sys The system cannot find the path specified. !

PAGE ataport.SYS!DllUnload + 1 8BC7DAD7 4 Bytes JMP 8619E1D9

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92215000, 0x39CB05, 0xE8000020]

.text USBPORT.SYS!DllUnload 91680DB9 5 Bytes JMP 875AA1D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2184] ntdll.dll!LdrLoadDll 779222B8 5 Bytes JMP 00E5131F C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86E551F8

Device \Driver\usbohci \Device\USBPDO-0 875A91F8

Device \Driver\usbohci \Device\USBPDO-1 875A91F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{B2F02C79-8312-4F9E-8749-8F2F57392CB8} 8749A1F8

Device \Driver\usbohci \Device\USBPDO-2 875A91F8

Device \Driver\usbohci \Device\USBPDO-3 875A91F8

Device \Driver\usbohci \Device\USBPDO-4 875A91F8

Device \Driver\usbehci \Device\USBPDO-5 875AB1F8

Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume1 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 874191F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 86E531F8

Device \Driver\atapi \Device\Ide\IdePort0 86E531F8

Device \Driver\atapi \Device\Ide\IdePort1 86E531F8

Device \Driver\atapi \Device\Ide\IdePort2 86E531F8

Device \Driver\atapi \Device\Ide\IdePort3 86E531F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 86E531F8

Device \Driver\volmgr \Device\HarddiskVolume3 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume4 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume5 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume6 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume7 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 8749A1F8

Device \Driver\volmgr \Device\HarddiskVolume8 861A01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\USBSTOR \Device\00000085 874391F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{031509B7-4D9E-4BB6-9394-00B5AFCB3C64} 8749A1F8

Device \Driver\USBSTOR \Device\00000089 874391F8

Device \Driver\usbohci \Device\USBFDO-0 875A91F8

Device \Driver\usbohci \Device\USBFDO-1 875A91F8

Device \Driver\usbohci \Device\USBFDO-2 875A91F8

Device \Driver\usbohci \Device\USBFDO-3 875A91F8

Device \Driver\usbohci \Device\USBFDO-4 875A91F8

Device \Driver\USBSTOR \Device\0000008a 874391F8

Device \Driver\usbehci \Device\USBFDO-5 875AB1F8

Device \Driver\USBSTOR \Device\0000008b 874391F8

Device \Driver\USBSTOR \Device\0000008c 874391F8

Device \FileSystem\cdfs \Cdfs 874181F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792

Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Critical_6.1.7601_26e8c897748762c3fbbfd4429c1791aad85cad_090d85c2

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ Folder Redirection

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ProcessGroupPolicyEx ProcessGroupPolicyEx

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@DllName fdeploy.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoMachinePolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoSlowLink 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@PerUserLocalSettings 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoGPOListChanges 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoBackgroundPolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@GenerateGroupPolicy GenerateGroupPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@EventSources (Folder Redirection,Application)?

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@DisplayName @fdeploy.dll,-261

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ Microsoft Disk Quota

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DisplayName @%SystemRoot%\System32\dskquota.dll,-100

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoMachinePolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoSlowLink 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoBackgroundPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoGPOListChanges 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@PerUserLocalSettings 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@RequiresSuccessfulRegistry 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@EnableAsynchronousProcessing 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DllName %SystemRoot%\System32\dskquota.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ProcessGroupPolicy ProcessGroupPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ QoS Packet Scheduler

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@DisplayName @gptext.dll,-201

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ProcessGroupPolicy ProcessPSCHEDPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@DllName gptext.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoGPOListChanges 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@ Remote Desktop USB Redirection

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@DllName %SystemRoot%\System32\TsUsbRedirectionGroupPolicyExtension.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@RequiresSuccessfulRegistry 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@ProcessGroupPolicyEx ProcessGroupPolicyEx

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@NoGPOListChanges 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@DisplayName @%SystemRoot%\System32\TsUsbRedirectionGroupPolicyExtension.dll,-100

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}@NoBackgroundPolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@ Windows Search Group Policy Extension

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@ProcessGroupPolicy ProcessGroupPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@DllName %SystemRoot%\System32\srchadmin.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@RequiresSuccessfulRegistry 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@NoSlowLink 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@NoGPOListChanges 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@NoUserPolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@NoMachinePolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@PerUserLocalSettings 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@EnableAsynchronousProcessing 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}@NoBackgroundPolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@ Deployed Printer Connections

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@DisplayName @%systemroot%\system32\gpprnext.dll,-1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@DllName %systemroot%\system32\gpprnext.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@EnableAsynchronousProcessing 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@ExtensionEventSource

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@GenerateGroupPolicy PrinterGenerateGroupPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@MaxNoGPOListChangesInterval 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@NoBackgroundPolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@NoGPOListChanges 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@NoMachinePolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@NoSlowLink 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@NotifyLinkTransition 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@NoUserPolicy 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@PerUserLocalSettings 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@ProcessGroupPolicy PrinterProcessGroupPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@ProcessGroupPolicyEx PrinterProcessGroupPolicyEx

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}@RequiresSuccessfulRegistry 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@ TCPIP

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@DisplayName @gptext.dll,-204

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@ProcessGroupPolicy ProcessTCPIPPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@DllName gptext.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@NoGPOListChanges 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}@RequiresSuccessfulRegistry 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ IP Security

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ProcessGroupPolicyEx ProcessIPSECPolicyEx

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@GenerateGroupPolicy GenerateIPSECPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@DllName %SystemRoot%\System32\polstore.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoGPOListChanges 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@DisplayName @C:\Windows\system32\polstore.dll,-5012

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@ Audit Policy Configuration

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@ProcessGroupPolicyEx ProcessGroupPolicyEx

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@GenerateGroupPolicy GenerateGroupPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@DllName auditcse.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@EnableAsynchronousProcessing 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@MaxNoGPOListChangesInterval 960

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}@ForceRefreshFG 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}@ Enterprise QoS

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}@DisplayName @gptext.dll,-203

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}@ProcessGroupPolicy ProcessEQoSPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}@DllName gptext.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}@RequiresSuccessfulRegistry 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@ CP

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@DisplayName @gptext.dll,-205

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@ProcessGroupPolicy ProcessConnectivityPlatformPolicy

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@DllName gptext.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@NoUserPolicy 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@NoGPOListChanges 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}@RequiresSuccessfulRegistry 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx@DllName dstfixx.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx@Startup dstfixx?op

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx@Impersonate 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx@Asynchronous 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dstfixx@MaxWait 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin@DllName wrdivin.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin@Startup wrdivin?op

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin@Impersonate 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin@Asynchronous 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrdivin@MaxWait 1

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

  1. Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
  2. Tick the box next to YES, I accept the Terms of Use
  3. Click Start
  4. When asked, allow the ActiveX control to install
  5. Click Start
  6. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  7. Click Scan (This scan can take several hours, so please be patient)
  8. Once the scan is completed, you may close the window
  9. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  10. Copy and paste that log as a reply to this topic

In your next reply, please post the following log files:

  • Malwarebytes' Anti-malware log
  • ESET Online Scanner log

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8192

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

11/19/2011 6:28:29 AM

mbam-log-2011-11-19 (06-28-29).txt

Scan type: Quick scan

Objects scanned: 185439

Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=9a36cb7cfc452542abe570824abd21c0

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-19 12:19:43

# local_time=2011-11-19 07:19:43 (-0500, US Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776638 100 85 16914308 73247191 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=57861

# found=7

# cleaned=7

# scan_time=2783

C:\Program Files\Veoh Networks\VeohWebPlayer\qlipso-qlipso-silent-us.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe a variant of Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Windows\System32\dstfixx.dll.vir a variant of Win32/TrojanProxy.Agent.NGY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Windows\System32\wrdivin.dll.vir a variant of Win32/TrojanProxy.Agent.NGY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Will\AppData\Local\Shareaza\Incomplete\sha1_WVA5KYE6YM2HWXEF7M43SAFKQ376BL6E.partial a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Users\Will\AppData\Local\Temp\mozOpenDownload\SoftonicDownloader_for_yahoo-messenger.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Will\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\6da9bb9f-319aab6f Java/Agent.DW trojan (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Step 1

To disable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 2

We need to get the mbr dump for analysis.

Make sure TDSSKiller.exe is on the Desktop itself, not within a folder on the desktop.

Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -qmbr

A folder will apper called TDSSKiller_Quarantine in the C:\ drive.

Please zip up that folder and attach it to your next reply.

Step 3

Open Start Menu and type computer, click on Computer Management and then Disk Management. Capture a screenshot and attach it in your next reply.

http://en.wikipedia.org/wiki/Screenshot#Microsoft_Windows

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.