PDA

View Full Version : virus stops virus scan at windows folder



JarJar
2010-05-31, 23:07
DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Jarvis Family at 14:28:22.51 on Mon 05/31/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php?#!/?sk=messages&tid=1246764423057
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/go.php?verb=register-home&lang=eng
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: MyWay Search Assistant BHO: {04079851-5845-4dea-848c-3ecd647aa554} - c:\program files\myway\srchastt\1.bin\MYSRCHAS.DLL
BHO: myBar BHO: {0494d0d1-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
TB: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: My &Search Bar: {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ATI Remote Control] "c:\program files\ati multimedia\remctrl\ATIX10.exe"
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TkBellExe] c:\program files\realmedia\update_ob\evntsvc.exe -osboot
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [InetCntrl] c:\windows\system32\inetcntrl\InetCntrl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SelectRebates] c:\program files\selectrebates\SelectRebates.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP DLA] "c:\program files\hp dla\dlatray.exe" /t
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HP CD-DVD] c:\program files\hp cd-dvd\umbrella\hpcdtray.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [cubgssxh] c:\documents and settings\jarvis family\local settings\application data\scvhkxslb\mlafwwdtssd.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\jarvis family\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\skywat~1.lnk - c:\program files\common files\skywatch13\TrueWeather.exe
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
LSP: InetCntrl0012.dll
Trusted Zone: aol.com\free
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230875329609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 1.74.125.127.100 www.bing.com
Hosts: 2.74.125.127.100 bing.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jarvis~1\applic~1\mozilla\firefox\profiles\rew9tmxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
FF - prefs.js: keyword.URL - hxxp://wstb.search.imgag.com/?c=&sbs=1&sc=&f=web&vernum=3.1.3.7504&uid=&did={f8d4a70c-98e2-4081-901d-01bf93043ede}&q=
FF - component: c:\documents and settings\jarvis family\application data\mozilla\firefox\profiles\rew9tmxd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\jarvis family\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\jarvis family\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\jarvis family\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpverplug.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-05-23 21:25:07 0 d-----w- c:\program files\CCleaner
2010-05-16 01:12:37 0 d-----w- C:\824c44ed3d90af577e91b5
2010-05-15 21:24:00 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-12 18:13:55 0 d-----w- c:\program files\FunWebProducts
2010-05-02 22:21:14 1568 ----a-w- c:\documents and settings\jarvis family\.recently-used.xbel

==================== Find3M ====================

2010-04-16 20:59:05 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpe4F9.dll
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-09-17 00:08:50 65686 ----a-w- c:\program files\Photoshop CS4 Read Me.pdf
2008-09-11 16:49:26 108336 ----a-w- c:\program files\Photoshop CS4 — Lisez-moi.pdf
2008-09-11 16:47:50 103148 ----a-w- c:\program files\Léame de Photoshop CS4.pdf

============= FINISH: 14:28:47.00 ===============

IndiGenus
2010-06-02, 23:48
Hello JarJar and welcome to the forums. Sorry for the delay in getting to your post.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please also run and post new DDS logs for review, and let me know how it's running.

JarJar
2010-06-04, 05:39
I cannot link to the combofix link you gave me. Is there another place? Can't even get to bleepingcomputer website. computer shuts down every 5 minutes.

IndiGenus
2010-06-04, 05:50
Do you have another PC you can download it on, then copy it over with a flash drive or CD/DVD?

JarJar
2010-06-04, 06:37
I will get use a flash drive to hopefully load it. ports and DVD player are getting old and don't always work. :(

JarJar
2010-06-04, 06:45
I finally got bleeping computer and combofix is not there anymore, or at least not where that link takes you.

JarJar
2010-06-04, 06:50
I even search all their executables and there was no combofix.exe I found it on other websites, just not sure where a safe place to get it is.

IndiGenus
2010-06-04, 07:14
If you are trying to do this on the infected PC, the Malware is probably blocking you. Here are the direct links. But you may need to get there on a clean PC. Then copy the .exe file over.

http://www.forospyware.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

JarJar
2010-06-04, 20:19
Here's another twist. I uninstalled my AFA internet filter because I was only able to be on for about 5 minutes at a time and part of that time was spent restarting my filter so I could use the internet. So after I uninstalled the filter the computer didn't shut down on it's own except for a couple times. (Believe me, that's nothing when the thing had been shutting down every 5 minutes.) I was able to run the whole AVAST scan and it found nothing. So then I downloaded Spybot and ran it and it cleaned up a bunch of things but told me I had 2 things left it needed to clean up when the computer restarted. I was doing all of this in safe mode until I downloaded Spybot. I was sure it was a virus so was surprised that AVAST found nothing. Spybot never got through the 2nd scan though. It was late and I just shut down the computer. Should I still try to use combofix if I can?

IndiGenus
2010-06-04, 20:35
I was sure it was a virus so was surprised that AVAST found nothing.That doesn't mean anything. If a rootkit is present Avast, or most any AV, will see nothing.

Unless absolutely needed please don't make any other system changes while we're trying to clean this. That's like hitting a moving target for me as I can't see what's going on. If you're not able to follow the instructions given, then report back as to what happened and why.

So the answer is still yes, please run combofix and post the log.

JarJar
2010-06-05, 00:01
okay, sorry to make things more confusing, I will try to get to combofix and run it. thanks

IndiGenus
2010-06-05, 00:07
okay, sorry to make things more confusing, I will try to get to combofix and run it. thanks
:bigthumb: ....my hope is that will make things much easier for both of us.

JarJar
2010-06-05, 02:16
combofix went through the steps like in the pics provided except it only got to stage 10 or so when it shut down. I saw just now there are supposed to be 50 steps. Do I run it again? I guess I have to or you won't have a log to look at?

IndiGenus
2010-06-05, 02:57
Let's try this tool on it.

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

JarJar
2010-06-05, 03:03
19:01:45:296 2520 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
19:01:45:296 2520 ================================================================================
19:01:45:296 2520 SystemInfo:

19:01:45:296 2520 OS Version: 5.1.2600 ServicePack: 3.0
19:01:45:296 2520 Product type: Workstation
19:01:45:296 2520 ComputerName: HOUSE
19:01:45:296 2520 UserName: Jarvis Family
19:01:45:296 2520 Windows directory: C:\WINDOWS
19:01:45:296 2520 Processor architecture: Intel x86
19:01:45:296 2520 Number of processors: 2
19:01:45:296 2520 Page size: 0x1000
19:01:45:296 2520 Boot type: Normal boot
19:01:45:296 2520 ================================================================================
19:01:45:500 2520 Initialize success
19:01:45:500 2520
19:01:45:500 2520 Scanning Services ...
19:01:45:859 2520 Raw services enum returned 420 services
19:01:45:875 2520
19:01:45:875 2520 Scanning Drivers ...
19:01:46:531 2520 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
19:01:46:578 2520 Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINDOWS\system32\drivers\Aavmker4.sys
19:01:46:609 2520 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:01:46:656 2520 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:01:46:687 2520 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
19:01:46:734 2520 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:01:46:765 2520 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
19:01:46:796 2520 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
19:01:46:828 2520 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
19:01:46:921 2520 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys
19:01:46:937 2520 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:01:46:984 2520 aswFsBlk (b4079a98f294a3e262872cb76f4849f0) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
19:01:47:000 2520 aswMon2 (dbee7b5ecb50fc2cf9323f52cbf41141) C:\WINDOWS\system32\drivers\aswMon2.sys
19:01:47:031 2520 aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINDOWS\system32\drivers\aswRdr.sys
19:01:47:046 2520 aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINDOWS\system32\drivers\aswSP.sys
19:01:47:078 2520 aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINDOWS\system32\drivers\aswTdi.sys
19:01:47:093 2520 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:01:47:125 2520 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:01:47:265 2520 ati2mtag (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:01:47:375 2520 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:01:47:421 2520 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:01:47:453 2520 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
19:01:47:484 2520 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:01:47:515 2520 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:01:47:546 2520 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:01:47:562 2520 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:01:47:593 2520 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:01:47:640 2520 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:01:47:687 2520 COMMONFX.DLL (94bf0790f0777d058747bf0f03496251) C:\WINDOWS\system32\COMMONFX.DLL
19:01:47:734 2520 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL
19:01:47:765 2520 ctac32k (e7610aba1f551eb77b6bb2274d194f93) C:\WINDOWS\system32\drivers\ctac32k.sys
19:01:47:812 2520 ctaud2k (e9ee8b502acfbd0955d081d7a1ccce24) C:\WINDOWS\system32\drivers\ctaud2k.sys
19:01:47:859 2520 CTAUDFX.DLL (0439d0254075c9ba689fc3d5a916784e) C:\WINDOWS\system32\CTAUDFX.DLL
19:01:47:906 2520 ctdvda2k (437f2b31ba8b6b264d38b4fe6682faec) C:\WINDOWS\system32\drivers\ctdvda2k.sys
19:01:47:937 2520 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL
19:01:47:968 2520 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL
19:01:48:000 2520 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL
19:01:48:031 2520 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL
19:01:48:046 2520 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL
19:01:48:109 2520 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL
19:01:48:156 2520 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL
19:01:48:203 2520 ctprxy2k (90fd30ea61c68df474a0b398f03e6d9b) C:\WINDOWS\system32\drivers\ctprxy2k.sys
19:01:48:234 2520 CTSBLFX.DLL (0ca5c3845e6683285271a70fe12031d6) C:\WINDOWS\system32\CTSBLFX.DLL
19:01:48:265 2520 ctsfm2k (ab564ee9668bf9af1c3e5544cceade1d) C:\WINDOWS\system32\drivers\ctsfm2k.sys
19:01:48:328 2520 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:01:48:390 2520 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:01:48:453 2520 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:01:48:468 2520 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:01:48:500 2520 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:01:48:531 2520 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:01:48:562 2520 drvmcdb (7de2cba4be32633f00b4d3e04e133ff9) C:\WINDOWS\system32\drivers\drvmcdb.sys
19:01:48:578 2520 drvnddm (6213d903a7d6e6540b97f3d7ad384638) C:\WINDOWS\system32\drivers\drvnddm.sys
19:01:48:609 2520 emupia (8b2303cf5fdc7e97a975bd1069cd99d6) C:\WINDOWS\system32\drivers\emupia2k.sys
19:01:48:656 2520 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:01:48:671 2520 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:01:48:687 2520 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:01:48:703 2520 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:01:48:734 2520 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:01:48:750 2520 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:01:48:765 2520 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:01:48:796 2520 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
19:01:48:828 2520 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:01:48:843 2520 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:01:48:906 2520 ha10kx2k (e64325ba1ede4a2551a0be186c61d4d7) C:\WINDOWS\system32\drivers\ha10kx2k.sys
19:01:48:937 2520 hap16v2k (a28be5017b423a783dd0d0a4cd3b48f5) C:\WINDOWS\system32\drivers\hap16v2k.sys
19:01:48:968 2520 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys
19:01:49:000 2520 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:01:49:031 2520 hpcd2k (f72906171a73176623a9792e0a82cece) C:\WINDOWS\system32\drivers\hpcd2k.sys
19:01:49:078 2520 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
19:01:49:093 2520 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
19:01:49:125 2520 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
19:01:49:156 2520 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:01:49:203 2520 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:01:49:218 2520 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:01:49:265 2520 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:01:49:296 2520 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:01:49:328 2520 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:01:49:343 2520 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:01:49:375 2520 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:01:49:390 2520 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:01:49:406 2520 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:01:49:437 2520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:01:49:453 2520 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:01:49:468 2520 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:01:49:500 2520 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
19:01:49:546 2520 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:01:49:562 2520 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:01:49:609 2520 mdmxsdk (a1e9d936eac07ee9386e87bac1377fad) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:01:49:656 2520 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:01:49:687 2520 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:01:49:703 2520 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:01:49:734 2520 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
19:01:49:750 2520 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:01:49:781 2520 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:01:49:812 2520 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:01:49:828 2520 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:01:49:906 2520 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:01:49:953 2520 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
19:01:49:953 2520 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:01:50:000 2520 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:01:50:015 2520 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:01:50:031 2520 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:01:50:078 2520 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:01:50:109 2520 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
19:01:50:125 2520 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:01:50:156 2520 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:01:50:187 2520 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:01:50:203 2520 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:01:50:234 2520 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:01:50:250 2520 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:01:50:281 2520 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:01:50:296 2520 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
19:01:50:312 2520 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:01:50:343 2520 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:01:50:359 2520 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:01:50:390 2520 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
19:01:50:421 2520 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:01:50:453 2520 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:01:50:484 2520 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:01:50:515 2520 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:01:50:546 2520 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:01:50:578 2520 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:01:50:609 2520 ossrv (8db15d0105d92c2fbca5e83cd882a477) C:\WINDOWS\system32\drivers\ctoss2k.sys
19:01:50:625 2520 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:01:50:640 2520 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:01:50:671 2520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:01:50:671 2520 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:01:50:734 2520 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:01:50:765 2520 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:01:50:843 2520 pfc (2c1eb94c24a6a1d3434481b0a5fa9c08) C:\WINDOWS\system32\drivers\pfc.sys
19:01:50:875 2520 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
19:01:50:906 2520 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:01:50:921 2520 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
19:01:50:937 2520 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:01:50:968 2520 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:01:51:015 2520 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:01:51:031 2520 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:01:51:062 2520 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:01:51:078 2520 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:01:51:093 2520 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:01:51:109 2520 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:01:51:125 2520 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:01:51:156 2520 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:01:51:171 2520 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:01:51:203 2520 s0016bus (59509ad6cbc28f2c73056268985b3e48) C:\WINDOWS\system32\DRIVERS\s0016bus.sys
19:01:51:234 2520 s0016mdfl (b98c3a6f91f4fba285af9606a240c6b4) C:\WINDOWS\system32\DRIVERS\s0016mdfl.sys
19:01:51:265 2520 s0016mdm (8a83426f4fb7b5212825d9de76368b1a) C:\WINDOWS\system32\DRIVERS\s0016mdm.sys
19:01:51:296 2520 s0016mgmt (7a78bba97feb5e6d24c49e93a3bf7287) C:\WINDOWS\system32\DRIVERS\s0016mgmt.sys
19:01:51:343 2520 s0016nd5 (34ef7b5f611957b73e7219dd5a222ad1) C:\WINDOWS\system32\DRIVERS\s0016nd5.sys
19:01:51:359 2520 s0016obex (36792935847143e4a3cda0dc87248487) C:\WINDOWS\system32\DRIVERS\s0016obex.sys
19:01:51:406 2520 s0016unic (927208754fb27fc3e7a659e77500c5d1) C:\WINDOWS\system32\DRIVERS\s0016unic.sys
19:01:51:437 2520 s616bus (ef4b5a8d53f15cb269469dd4e4bb0109) C:\WINDOWS\system32\DRIVERS\s616bus.sys
19:01:51:453 2520 s616mdfl (96187731eefcf83e844bc1ce6617aaeb) C:\WINDOWS\system32\DRIVERS\s616mdfl.sys
19:01:51:484 2520 s616mdm (d2dd87368bfecfa099e50dc120f3f513) C:\WINDOWS\system32\DRIVERS\s616mdm.sys
19:01:51:515 2520 s616mgmt (5f0be24e4d4fa134b0b2fef35d3a9d90) C:\WINDOWS\system32\DRIVERS\s616mgmt.sys
19:01:51:546 2520 s616nd5 (b9b507fcc67e204ef38e05ffd4176345) C:\WINDOWS\system32\DRIVERS\s616nd5.sys
19:01:51:578 2520 s616obex (f123a1f2a04a0e8dba80b64f0072475a) C:\WINDOWS\system32\DRIVERS\s616obex.sys
19:01:51:593 2520 s616unic (e7e55048ebd5c17bfa791b4a6ec3d54b) C:\WINDOWS\system32\DRIVERS\s616unic.sys
19:01:51:625 2520 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:01:51:640 2520 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:01:51:671 2520 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:01:51:687 2520 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:01:51:718 2520 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:01:51:765 2520 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:01:51:921 2520 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:01:52:156 2520 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
19:01:52:468 2520 sscdbhk5 (8114427ba5e18611c0868cff6c6e4bfa) C:\WINDOWS\system32\drivers\sscdbhk5.sys
19:01:52:656 2520 ssrtln (be3d4373f724f90914f44197713dffd1) C:\WINDOWS\system32\drivers\ssrtln.sys
19:01:52:671 2520 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:01:52:703 2520 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:01:52:718 2520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:01:52:796 2520 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:01:52:828 2520 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:01:52:859 2520 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:01:52:890 2520 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:01:52:906 2520 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:01:52:953 2520 tfsnboio (558afa718c9e0597f022577acdcca1bc) C:\WINDOWS\system32\dla\tfsnboio.sys
19:01:52:968 2520 tfsncofs (1f12abb9242ea8a0a796a05bff5302fb) C:\WINDOWS\system32\dla\tfsncofs.sys
19:01:53:000 2520 tfsndrct (ee792eedf6978d90a07c4d3e00e00142) C:\WINDOWS\system32\dla\tfsndrct.sys
19:01:53:015 2520 tfsndres (222b83d6d9824a446246f3163ab1fd09) C:\WINDOWS\system32\dla\tfsndres.sys
19:01:53:031 2520 tfsnifs (416eb414e6d83d7ffa9e86f6ec35e183) C:\WINDOWS\system32\dla\tfsnifs.sys
19:01:53:046 2520 tfsnopio (e9e47af75e0ef846ee6ca2920de8797d) C:\WINDOWS\system32\dla\tfsnopio.sys
19:01:53:062 2520 tfsnpool (97eefa2c6c4fd67b36ff6ed96ff986e6) C:\WINDOWS\system32\dla\tfsnpool.sys
19:01:53:078 2520 tfsnudf (0b5d0ca8eef9f780516223175ee7e9ad) C:\WINDOWS\system32\dla\tfsnudf.sys
19:01:53:093 2520 tfsnudfa (ca04b26ce082a91e50f5dd1fb5cf3f78) C:\WINDOWS\system32\dla\tfsnudfa.sys
19:01:53:171 2520 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:01:53:203 2520 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
19:01:53:234 2520 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:01:53:265 2520 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:01:53:281 2520 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:01:53:312 2520 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:01:53:343 2520 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:01:53:359 2520 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:01:53:375 2520 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:01:53:390 2520 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
19:01:53:406 2520 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:01:53:437 2520 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:01:53:453 2520 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:01:53:500 2520 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
19:01:53:531 2520 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:01:53:593 2520 Winachcf (e3df12ce194d1da6ca7fdc0d8fbcb55e) C:\WINDOWS\system32\DRIVERS\winachcf.sys
19:01:53:625 2520 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:01:53:671 2520 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:01:53:703 2520 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:01:53:734 2520 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:01:53:750 2520 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:01:53:796 2520 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
19:01:53:796 2520
19:01:53:796 2520 Completed
19:01:53:796 2520
19:01:53:796 2520 Results:
19:01:53:796 2520 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:01:53:796 2520 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:01:53:796 2520
19:01:53:812 2520 KLMD(ARK) unloaded successfully

IndiGenus
2010-06-05, 03:05
Hmmm??? Nothing showing there. When you say it shuts down, what happens? Just it just turn off? Do you get a Blue Screen or errors?

IndiGenus
2010-06-05, 03:06
Try combofix again, once more. If that is still unsuccessful then try running combofix in Safe Mode. Tap F8 on startup and select Safe Mode.

JarJar
2010-06-05, 03:15
it just shuts down with no errors really - happens in safe mode also, which is what i've been doing most everything in up until after combofix restarted me. but after the restart I've been on for quite awhile and nothing has happened.

IndiGenus
2010-06-05, 03:19
Well, try it again in Normal Mode.

If that fails, try Safe Mode.

If no go there do this....

It may be BSOD'ing and we can't see it. So let's disable automatic restart.

Right click “My Computer”
Select “Properties”
go to “Advanced” tab
go to Startup and Recovery setting
clear or deselect “automatically restart” option

See if you now get a BSOD on shutdown and if so write down the message.

JarJar
2010-06-05, 03:55
ComboFix 10-06-03.01 - Jarvis Family 06/04/2010 19:17:12.1.2 - x86
Running from: c:\documents and settings\Jarvis Family\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\hpe4F9.dll
c:\documents and settings\Jarvis Family\GoToAssistDownloadHelper.exe
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\MyWay
c:\program files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
c:\program files\MyWay\SrchAstt\1.bin\PARTNER.DAT
c:\program files\MyWay\SrchAstt\Cache\0002E342
c:\program files\MyWay\SrchAstt\Cache\00049C3C
c:\program files\MyWay\SrchAstt\Cache\023AE9DE
c:\program files\MyWay\SrchAstt\Cache\023AED2A
c:\program files\MyWay\SrchAstt\Cache\files.ini
c:\program files\MyWay\SrchAstt\Settings\prevcfg.htm
c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\rlls(2).dll
c:\program files\RelevantKnowledge\rloci.bin
c:\program files\Seekapp
c:\program files\Seekapp\readme.html
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\bg-gradient.gif
c:\program files\SelectRebates\SahImages\button-close.gif
c:\program files\SelectRebates\SahImages\sah-logopop.gif
c:\program files\SelectRebates\SahImages\SAHS_popuplogo2.gif
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\ImageCache\alert-red.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\Scissors.bmp
C:\Thumbs.db
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-04 04:41 . 2010-06-04 05:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 04:41 . 2010-06-04 04:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-31 19:07 . 2010-05-31 19:08 -------- d-----w- c:\program files\ERUNT
2010-05-23 21:25 . 2010-05-23 21:25 -------- d-----w- c:\program files\CCleaner
2010-05-16 01:12 . 2010-05-16 01:12 -------- d-----w- C:\824c44ed3d90af577e91b5
2010-05-15 21:24 . 2010-05-15 21:24 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 00:48 . 2010-02-10 00:41 -------- d-----w- c:\documents and settings\Jarvis Family\Application Data\Dropbox
2010-06-05 00:48 . 2009-10-30 21:37 -------- d-----w- c:\documents and settings\Jarvis Family\Application Data\Skype
2010-06-05 00:46 . 2010-01-13 17:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 00:23 . 2009-01-03 02:57 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-0000000D-00001102-00000004-20021102}.dat
2010-06-05 00:23 . 2009-01-03 02:57 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-0000000D-00001102-00000004-20021102}.dat
2010-06-04 23:15 . 2010-01-23 16:29 -------- d-----w- c:\documents and settings\Jarvis Family\Application Data\HPAppData
2010-05-02 22:21 . 2010-01-02 22:11 -------- d-----w- c:\documents and settings\Jarvis Family\Application Data\gtk-2.0
2010-05-01 02:36 . 2010-05-01 02:36 -------- d-----w- c:\program files\Free M4a to MP3 Converter
2010-04-30 17:43 . 2010-04-30 17:43 -------- d-----w- c:\documents and settings\Jarvis Family\Application Data\Apowersoft
2010-04-30 17:43 . 2010-04-30 17:43 -------- d-----w- c:\program files\Apowersoft
2010-04-21 02:54 . 2010-04-21 02:54 -------- d-----w- c:\program files\GPLGS
2010-04-21 02:52 . 2010-04-21 02:52 -------- d-----w- c:\program files\Acro Software
2010-04-20 03:38 . 2009-11-26 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Zoom Player
2010-04-16 21:02 . 2010-04-16 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2010-04-16 20:58 . 2010-04-16 20:58 -------- d-----w- c:\program files\Sony Ericsson
2010-04-16 20:58 . 2010-04-16 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2010-04-16 20:58 . 2009-01-02 21:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-14 13:57 . 2009-12-26 16:25 79488 ----a-w- c:\documents and settings\Jarvis Family\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:38 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2003-03-31 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 04:54 . 2010-02-16 04:19 50354 ----a-w- c:\documents and settings\Jarvis Family\Application Data\Facebook\uninstall.exe
2010-03-09 04:54 . 2010-03-09 04:54 2114184 ----a-w- c:\documents and settings\Jarvis Family\Application Data\Facebook\Install_Facebook_Plug-In_1.0.3.exe
2008-09-17 00:08 . 2009-01-31 17:21 65686 ----a-w- c:\program files\Photoshop CS4 Read Me.pdf
2008-09-11 16:49 . 2009-01-31 17:21 108336 ----a-w- c:\program files\Photoshop CS4 — Lisez-moi.pdf
2008-09-11 16:47 . 2009-01-31 17:21 103148 ----a-w- c:\program files\Léame de Photoshop CS4.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 16:34 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jarvis Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jarvis Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Jarvis Family\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe" [2002-10-22 159744]
"SetDefaultMIDI"="MIDIDef.exe" [2007-04-09 28672]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 135168]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-10-08 818288]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-11-20 434176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-29 323584]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"HP DLA"="c:\program files\HP DLA\dlatray.exe" [2001-06-12 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2001-06-19 32821]
"HP CD-DVD"="c:\program files\HP CD-DVD\Umbrella\hpcdtray.exe" [2001-06-19 36864]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\documents and settings\Jarvis Family\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Jarvis Family\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2009-1-2 157000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
SkyWatch13.lnk - c:\program files\Common Files\SkyWatch13\TrueWeather.exe [2009-10-9 5790720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-28 05:34 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\SkyWatch13\\TrueWeather.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Documents and Settings\\Jarvis Family\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 bsofrwl;bsofrwl; [x]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
R4 Udfs-Disabled;Udfs-Disabled; [x]
S1 aswSP;avast! Self Protection; [x]
S1 hpcd2k;hpcd2k; [x]
S2 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2009-01-03 10240]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php?#!/?sk=messages&tid=1246764423057
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/go.php?verb=register-home&lang=eng
uInternet Settings,ProxyOverride = *.local
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Jarvis Family\Application Data\Mozilla\Firefox\Profiles\rew9tmxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
FF - prefs.js: keyword.URL - hxxp://wstb.search.imgag.com/?c=&sbs=1&sc=&f=web&vernum=3.1.3.7504&uid=&did={f8d4a70c-98e2-4081-901d-01bf93043ede}&q=
FF - component: c:\documents and settings\Jarvis Family\Application Data\Mozilla\Firefox\Profiles\rew9tmxd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Jarvis Family\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Jarvis Family\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Jarvis Family\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpverplug.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
HKLM-Run-TkBellExe - c:\program files\RealMedia\Update_OB\evntsvc.exe
HKLM-Run-InetCntrl - c:\windows\system32\InetCntrl\InetCntrl.exe
HKLM-Run-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
HKLM-Run-cubgssxh - c:\documents and settings\Jarvis Family\Local Settings\Application Data\scvhkxslb\mlafwwdtssd.exe
AddRemove-{0CD8A170-E470-11DB-3D6C-00D529464AE1} - c:\program files\Notation\Uninst_Notation Musician 2.5.2
AddRemove-{EF53DD60-C4E2-11DB-3D6C-167690F54AE1} - c:\program files\Notation\Uninst_Notation Composer 2.5.2



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 19:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:cd,d1,ce,5f,39,da,75,b6,ba,f0,19,36,fc,1c,1e,e1,39,64,f9,46,c1,
71,4d,6f,ed,cb,86,34,b7,f0,ab,19,de,5f,31,58,e6,17,50,8e,a6,26,89,41,23,72,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:cd,d1,ce,5f,39,da,75,b6,ba,f0,19,36,fc,1c,1e,e1,39,64,f9,46,c1,
71,4d,6f,ed,cb,86,34,b7,f0,ab,19,de,5f,31,58,e6,17,50,8e,a6,26,89,41,23,72,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1612)
c:\windows\system32\WININET.dll
c:\documents and settings\Jarvis Family\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Webshots\Webshots.scr
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-06-04 19:52:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-05 00:52

Pre-Run: 12,685,381,632 bytes free
Post-Run: 13,354,274,816 bytes free

- - End Of File - - 2D48A5C15F28B31F742FADD68F59C013

IndiGenus
2010-06-05, 04:01
Okay was that Safe Mode?

Please run DDS again and post BOTH logs.

JarJar
2010-06-05, 04:02
nope, that was normal. I'll run DDS again.

IndiGenus
2010-06-05, 04:03
nope, that was normal. I'll run DDS again.
:bigthumb:

JarJar
2010-06-05, 04:10
DDS (Ver_10-03-17.01) - NTFSx86
Run by Jarvis Family at 20:06:54.85 on Fri 06/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php?#!/?sk=messages&tid=1246764423057
uInternet Connection Wizard,ShellNext = hxxp://www.avast.com/go.php?verb=register-home&lang=eng
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: {C17590D2-ECB4-4b15-8820-F58798DCC118} - No File
TB: Bsecure Popup Blocker: {e0019445-4c1f-414d-a70e-ad80f231c584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ATI Remote Control] "c:\program files\ati multimedia\remctrl\ATIX10.exe"
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP DLA] "c:\program files\hp dla\dlatray.exe" /t
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HP CD-DVD] c:\program files\hp cd-dvd\umbrella\hpcdtray.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\jarvis family\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\jarvis~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\skywat~1.lnk - c:\program files\common files\skywatch13\TrueWeather.exe
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: aol.com\free
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230875329609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jarvis~1\applic~1\mozilla\firefox\profiles\rew9tmxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.worldmag.com/index.cfm
FF - prefs.js: keyword.URL - hxxp://wstb.search.imgag.com/?c=&sbs=1&sc=&f=web&vernum=3.1.3.7504&uid=&did={f8d4a70c-98e2-4081-901d-01bf93043ede}&q=
FF - component: c:\documents and settings\jarvis family\application data\mozilla\firefox\profiles\rew9tmxd.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\jarvis family\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\jarvis family\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\jarvis family\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\hewlett-packard\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpverplug.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-04 22:41:52 0 d-sha-r- C:\cmdcons
2010-06-04 22:39:07 98816 ----a-w- c:\windows\sed.exe
2010-06-04 22:39:07 77312 ----a-w- c:\windows\MBR.exe
2010-06-04 22:39:07 256512 ----a-w- c:\windows\PEV.exe
2010-06-04 22:39:07 161792 ----a-w- c:\windows\SWREG.exe
2010-06-04 04:41:34 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 04:41:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-23 21:25:07 0 d-----w- c:\program files\CCleaner
2010-05-16 01:12:37 0 d-----w- C:\824c44ed3d90af577e91b5
2010-05-15 21:24:00 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-09-17 00:08:50 65686 ----a-w- c:\program files\Photoshop CS4 Read Me.pdf
2008-09-11 16:49:26 108336 ----a-w- c:\program files\Photoshop CS4 — Lisez-moi.pdf
2008-09-11 16:47:50 103148 ----a-w- c:\program files\Léame de Photoshop CS4.pdf

============= FINISH: 20:07:05.04 ===============

IndiGenus
2010-06-05, 04:14
Okay how's it running?

AskBar.dll (Ask Toolbar) process can be removed to free up resources without compromising system performance. http://vil.nai.com/vil/content/v_146646.htm

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.
Ben Edelman http://blogs.zdnet.com/Spyware/?p=858

I discourage users from running Ask's toolbars for two reasons. First, Ask moves the browser's Address Bar from top-left (where it is found in every browser I've ever seen) to top-right. Ask puts its own search box in the top-left. So Ask's software makes it highly likely that users will accidentally conduct searches when they intend simply to navigate to sites they request by name.

Second, Ask's toolbar leads to landing pages that are objectionable in their own right. Ask's landing pages show ten ads - ten! - above the first organic result. On a 800×600 screen, that means 2 full pages of ads, plus a little bit more after that, all before the first organic result. That's ridiculous. No user deserves that, especially since organic results are safer than sponsored links.
It is advised that you uninstall this program to protect your privacy and computer security and to free up necessary resources. To uninstall the AskToolbar.
Click Start > Control Panel.
In Control Panel, double-click Uninstall Programs.
In Add or Remove Programs, highlight Ask Toolbar , click Remove.
Close the Add or Remove Programs and the Control Panel windows.

**********************************

Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply.


***************************************

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

You need to use Internet Explorer for this scan.

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:Extended (if available otherwise Standard)

Scan Options:Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

JarJar
2010-06-05, 04:32
seems to be okay but when I tried to uninstall ask toolbar it just sat and sat. Any other way to remove it? Things don't usually take that long to start uninstall.

IndiGenus
2010-06-05, 04:36
Could try Revo Uninstaller. I've had good luck with it in the past.

http://www.revouninstaller.com/revo_uninstaller_free_download.html

JarJar
2010-06-05, 04:56
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4170

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/4/2010 8:50:35 PM
mbam-log-2010-06-04 (20-50-35).txt

Scan type: Quick scan
Objects scanned: 131532
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

JarJar
2010-06-05, 06:38
not sure what's going on with the Kaspersky scan. I paused Avast while I scanned and I went to IE to do the scan and three times it stops at 9% on an i-tunes folder.

IndiGenus
2010-06-05, 06:49
Sometimes Kaspersky can take a long time to run. How long did you wait for it?

JarJar
2010-06-05, 07:14
Sorry to be unclear. It CLOSED the explorer window at 9%. I was just sitting there watching it the third time because I had walked away at 8% thinking it would be awhile the first couple times and realized something weird was happening.

IndiGenus
2010-06-05, 07:16
Sorry to be unclear. It CLOSED the explorer window at 9%. I was just sitting there watching it the third time because I had walked away at 8% thinking it would be awhile the first couple times and realized something weird was happening.
Ahh, okay...

We can try another scanner.

Eset Online Scanner (http://www.eset.com/onlinescan/)
Run with Internet Explorer

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button, or click the notification bar at the top of the window and choose to install.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

JarJar
2010-06-05, 18:35
I was running ESET last night and it got to 31% and found a worm. I was a little shocked because I thought everything was gone. It looked like it was just sitting there so I had a feeling it was getting reading to crash. I wrote down what it said it found.

It was in the WIN 32 folder and was called:

Bagle.gen.zip worm

It started looking like it was continuing the scan then the computer crashed. No messages, just shut down.

So I am running it again this morning in safe mode.

IndiGenus
2010-06-05, 18:37
If it's found again please also write down the file name and let me know.

JarJar
2010-06-05, 18:38
Oh, and Firefox has crashed 4 times the few minutes I've been on. And I just got a message that CTF Loader has a problem and has to close. Don't even know what that is.

IndiGenus
2010-06-05, 18:42
Oh, and Firefox has crashed 4 times the few minutes I've been on. And I just got a message that CTF Loader has a problem and has to close. Don't even know what that is.
Not sure on the Firefox issue.

CTFMON.EXE (CTF Loader). Supports speech recognition, handwriting
recognition, and other Alternative User Input services.

We can probably disable it if you don't need it.

JarJar
2010-06-05, 22:38
ESET found the same worm at about 31% then the computer crashed a minute later.

IndiGenus
2010-06-05, 23:15
ESET found the same worm at about 31% then the computer crashed a minute later.
Do you have a file name and location?

IndiGenus
2010-06-05, 23:19
Did you ever set your computer to not restart automatically as I had advised back at this post (http://forums.spybot.info/showpost.php?p=373268&postcount=19)?

JarJar
2010-06-05, 23:19
what I saw when ESET was running is what I typed before:

WIN32/Bagle.gen.zip worm

If there is more to it, you can't see it on ESET while it is running.

JarJar
2010-06-05, 23:20
no, but I will if it is important

IndiGenus
2010-06-05, 23:21
what I saw when ESET was running is what I typed before:

WIN32/Bagle.gen.zip worm

If there is more to it, you can't see it on ESET while it is running.
You had said it was in the system32 folder so I was hoping you could see what the file was.

IndiGenus
2010-06-05, 23:22
no, but I will if it is important
Yes, if it is BSOD'ing then the error code produced may help. It may not even be Malware related. Could be something overheating. How old and what type of PC is this?

JarJar
2010-06-08, 01:13
I tried to disable restart and got a message that Alerter needed to be turned on and that I had to do that in Admin Tools. Well I couldn't find admin tools so I haven't figured out how to do that yet. Then while trying to explain all this a couple days ago the computer shut down in the middle of my message. Fed up so I gave it a rest until today.I am on a different computer right now.

We got our computer in 2004 I think. Not sure what kind - it says Impacta by ASUS on the tower. Was built for video editing. Found out much too late that they did not put a big enough power source in when it was built and yes, it overheats, but usually will stay on most of the day. At least it did before this latest virus or whatever it was. We have it on top of the desk with the side off and a fan blowing on it when it's in use (one of the internal fans stopped working) - that has helped.

It does confuse things because I'm not always sure when it shuts off that it is because of the current infection. But it seemed back to "normal" until I ran that online virus scan and it found that worm file.

If I can get the computer to stay on long enough to work with files can I try pulling off pictures and video files/projects to a new external drive? I mean I guess I can, but is this worm going to affect everything I'm moving off? Most of my files are in a separate drive, but some are on the C drive.

IndiGenus
2010-06-08, 01:20
If I can get the computer to stay on long enough to work with files can I try pulling off pictures and video files/projects to a new external drive? I mean I guess I can, but is this worm going to affect everything I'm moving off? Most of my files are in a separate drive, but some are on the C drive.
That's up to you, and is sometimes the way to go when things keep shutting down and giving errors. It won't help if it's a heat related issue.

Chances are good if you are just backing up documents, pictures, and personal files that they will not be infected. You can always run a scan on your backup drive before importing it all back to the fresh OS.

You may have told me but I cannot remember and don't have time this second to review, but did you run a full system scan with Avast? If not I would suggest trying that. We can also try another online scanner too.

JarJar
2010-06-08, 01:27
I just want to get my "stuff" off before it completely wears out - so I probably will do that and continue to work on cleaning it up also. I was able to run the avast scan in standard mode and it didn't find anything. Spybot found and fixed things and nothing else seemed to. I would like to try another on-line scanner. Guess I will run the long version of the avast scan. Takes forever - hope it doesn't overheat in the middle of it.

IndiGenus
2010-06-08, 16:12
The quick scan on this one, which is the default, doesn't take too long.

TrendMicro™ HouseCall Scan
Please go HERE (http://www.trendmicro.com/hc_intro/default.asp) to run the Trend Micro™ HouseCall Scan.
Select the appropriate version from this page (32 or 64 bit) and download it to the desktop.
Run the executable file.
Read and put a Check next to I accept the terms of the license agreement.
Click Next.
Click the Scan Now button.
Please be patient while it scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.

Post any details about the scan in your next reply along with a fresh DDS log and a description of how your PC is behaving.

JarJar
2010-06-11, 20:06
Just to let you know my status. Computer will start and sits on the screen showing the motherboard brand and pentium4 - whatever that screen is. About 1 out of 10 times it will open in safe mode but not long enough for me to get any of my files off to the external drive. Not sure if it's the end of the hard drive or if I need to re-load windows. Probably going to hook up the DVD drive and try it - can't hurt at this point. Thanks anyway.

IndiGenus
2010-06-11, 20:32
Hmmm.....

Another option is to make a PE disk, then boot off of that. Then you could run some tests on the drive, backup your files, etc... that's if it's not something like a RAM issue or other hardware issue (not hard drive). Do you have another PC and the resources to do this?

Here are the instructions for a disk one of our developers created that will allow you to do that and run some scans. Let's get a scan here and while you're in there you can use the explorer to copy your personal files. Let me know how you make out.

Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A





Download OTLPEStd.exe (http://oldtimer.geekstogo.com/OTLPEStd.exe) to your desktop
Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
Ensure that you have a blank CD in the drive
Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD

Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)


Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Drag and drop this attached scan.txt into the Custom scans and fixes box
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Please post the contents of the C:\OTL.txt file in your reply.

JarJar
2010-06-11, 22:59
Thanks for the suggestion. I will try it probably Monday.

IndiGenus
2010-06-11, 23:02
Thanks for the suggestion. I will try it probably Monday.:bigthumb:

You're essentially bypassing the hard drive for loading the system. Hopefully you can still "see" it so you can copy your data. If it still won't load from a PE disk then it's probably not the hard drive or OS, and some other hardware issue.

JarJar
2010-06-15, 01:08
have printed the instructions but probably can't get to it for a couple days - hope it works. :)

JarJar
2010-06-19, 00:56
okay, I'm slow this week, will probably try this over the weekend.

IndiGenus
2010-06-19, 04:04
okay, I'm slow this week, will probably try this over the weekend.
No problem and thanks for checking in. We'll keep the thread open as long as you need as long as you check in within 5 days or so.

JarJar
2010-06-19, 22:29
I'm at my mom's house trying to load the two PE executables to a CD and it keeps saying cannot format medium-incompatible medium. I've used 4 CD's and it happens with all of them at about 83%. So I guess I will try it at some other computer but not sure when or where that will be. rats :(

IndiGenus
2010-06-19, 23:05
Hmmm??? I'm not sure why you're getting that. Could be any number of things I guess. Are these CD's all the same type? If so try another brand. Do you know if it is working otherwise?

JarJar
2010-06-21, 05:41
I think it usually works, but who knows. I will try another machine somewhere.

IndiGenus
2010-06-21, 15:57
There are other PE disks you could try, like UBDC (http://www.ultimatebootcd.com/), etc... but the one I gave is about the simplest to create. I wish I could be more help but there's only so much we can do to help with this kind of issue in a forum.

JarJar
2010-06-21, 16:55
well, my CD's worked fine on this computer. Yay! On to my next task...

IndiGenus
2010-06-21, 17:02
:bigthumb::bigthumb:

JarJar
2010-06-22, 19:05
I finally got to the screen allowing me to change the boot to Cd and saved it so the CD loaded. BUT, after I could see the CD loading and windows starting the last screen was green vertical lines. This screen would flash off, then come back. I could see the light on my CD drive was still on. The last thing (I tried this several times) I have seen on my screen is what I call "plaid" because the screen now has horizontal lines - like it's trying to draw, but that's as far as it can go. I can see movement when I move my mouse and even saw the internet lights flashing so something is happening, I just can't see anything on my screen that I can work with.

IndiGenus
2010-06-22, 19:39
Boy I'm not sure what's going on there with this PC??? This may be something you'll need to bring to a shop to have them take a look at.

We could try another boot disk. I have a canned process from another expert (screen317) using a linux boot disk. It's pretty simple to create and use.

You will need a blank CD or flash drive, as well as software to burn .iso images, such as FreeISOBurner (http://www.freeisoburner.com/) or BurnCDCC (http://www.terabyteunlimited.com/downloads/burncdcc.zip).

Download PuppyLinux from here (http://distro.ibiblio.org/pub/linux/distributions/puppylinux/puppy-4.2-k2.6.25.16-seamonkey.iso) and save it to your Desktop.

Open FreeISOBurner. Configure it as follows:

1) Click Open and navigate to puppy-4.2-k2.6.25.16-seamonkey.iso on your Desktop.
2) Change the Drive to reflect the drive letter of your CD or USB drive.
3) Change the Burn Speed to as slow as possible (4x or lower preferred).
4) Click Burn
http://i269.photobucket.com/albums/jj45/screen317/freeisoburner-1.png
When it finishes, eject the CD and put it in the computer that will not boot.

If not already done so, configure that computer to boot from CD or USB first. To do so, restart your computer. Carefully read what appears on the screen to see which key need to be pressed to enter Setup.

From there, navigate using the keyboard to the Boot section, then use the Page Up and Page Down keys to move the CDROM or USB option first. Afterward, press F10 to save and exit setup. When the computer restarts, it will boot from your CD or USB drive instead of the damaged hard drive, and you will be presented with PuppyLinux.

It will say Linux will boot automatically in 8 seconds. Let it. It will proceed to "boot the kernel." You will be presented with a number of options. Select the default option for everything and you will see an interface with several icons on it.

Click (only once) on mount and the Pmount Puppy Drive Mounter menu will open. Click MOUNT next to the hard drive that contains your Windows installation. Also mount any removable media you have inserted to transfer your data to.

A window will open titled /mnt/sda1 (or something similar).

You will now have access to all of your files in a familiar folder format. Let me know how you make out.

JarJar
2010-06-23, 20:27
I assume I have to mount my other internal hard drive also so I can move files from it to my external drive?

IndiGenus
2010-06-23, 20:30
Yes, you do.


Also mount any removable media you have inserted to transfer your data to.

JarJar
2010-06-24, 05:41
I got all my files off onto the new external drive, but It's not because the CD's I burned worked. When I was trying to use the second one, puppylinux, the CD drive didn't seem to work. So I stuck in the PE Cd because at least it made the CD drive spin. Then when it started spinning, I ejected it and put the puppy CD in and that actually helped it load. But all the default settings got me to a point where it said I had to type some stuff to re-run the video wizard. Same problem, nothing legible on the screen for me to click on. (Side note: after taking apart some of the inards awhile back - too confusing to explain right now, but wasn't sure everything got put back together right and in safe mode the white parts of the desktop are always green - so I wasn't surprised there was something goofy with the graphics or whatever.) So somewhere in there as I was trading CD's back and forth a different screen came up and told me I wasn't finished loading windows, etc. I turned off the computer and turned it back on and wasn't paying attention and it starting loading the normal way. Not sure how because remember it was set to boot from the CD drive. (Maybe because the CD drive was acting so sluggish it by-passed it???) But anyway, it recognized my external drive and I starting pulling things over there and now I have all but the stuff on C like programs all on the external. I cleaned off C actually, didn't just copy. I was WAY full. So I ran a thorough scan with avast just on the WIndows folder cuz I thought there was a worm because that on-line scanner thing supposedly found one there and nothing. So what do I do now?

JarJar
2010-06-24, 05:43
"It" was full, not me. :)

IndiGenus
2010-06-24, 06:31
I got all my files off onto the new external drive, but It's not because the CD's I burned worked. When I was trying to use the second one, puppylinux, the CD drive didn't seem to work. So I stuck in the PE Cd because at least it made the CD drive spin. Then when it started spinning, I ejected it and put the puppy CD in and that actually helped it load. But all the default settings got me to a point where it said I had to type some stuff to re-run the video wizard. Same problem, nothing legible on the screen for me to click on. (Side note: after taking apart some of the inards awhile back - too confusing to explain right now, but wasn't sure everything got put back together right and in safe mode the white parts of the desktop are always green - so I wasn't surprised there was something goofy with the graphics or whatever.) So somewhere in there as I was trading CD's back and forth a different screen came up and told me I wasn't finished loading windows, etc. I turned off the computer and turned it back on and wasn't paying attention and it starting loading the normal way. Not sure how because remember it was set to boot from the CD drive. (Maybe because the CD drive was acting so sluggish it by-passed it???) But anyway, it recognized my external drive and I starting pulling things over there and now I have all but the stuff on C like programs all on the external. I cleaned off C actually, didn't just copy. I was WAY full. So I ran a thorough scan with avast just on the WIndows folder cuz I thought there was a worm because that on-line scanner thing supposedly found one there and nothing. So what do I do now?
Clear as mud....;)

IndiGenus
2010-06-24, 06:33
"It" was full, not me. :)
I understand.

You probably didn't want to copy over programs and such, because you would likely need to re-install them anyway if you start fresh. Basically you just want your data. Like docs, music, pictures, email, etc...

Does the computer still not boot normally, or in Safe Mode?

JarJar
2010-06-24, 08:11
Okay, a little wordy, sorry. :) Sort of happy, sort of annoyed. :0

As far as booting normally, haven't turned it off, it's been on for 6 hours acting "normal". We are trying to export a video project before the inevitable crash happens. (cannot find a good DVD, bleh) Then I suppose I will try to restart it or I may just leave it on forever...

IndiGenus
2010-06-24, 18:29
Okay since it's running have you tried any of the online scans? The last one I gave was for Trend Micro. I posted it here (http://forums.spybot.info/showpost.php?p=373632&postcount=47).

Try that and see what we get.

JarJar
2010-06-24, 19:12
Had to restart and it seems to reboot the normal way. I will try the on-line scan.

IndiGenus
2010-06-24, 19:30
:bigthumb:

JarJar
2010-06-24, 20:49
When I ran TrendMicro my Avast was still running and it popped up with a virus and told me to move to chest. I did, but I am not sure what it was. I thought it said it was a worm and it was in the system 32 folder. But I am looking in my Avast chest and I see something called iDump.exe and it says it was in C:\Program Files\Dump

IndiGenus
2010-06-24, 21:43
Did Trend Micro find anything?

JarJar
2010-06-24, 22:31
Oh, I forgot, Trend Micro found something else - called a rogue something.

IndiGenus
2010-06-24, 23:31
Okay did Trend clean it? If so I would just say let things run for a couple days and check back in.

JarJar
2010-06-24, 23:40
yes, it did, so okay I will check back in after awhile - thanks :)

JarJar
2010-06-25, 03:40
I'm not too impressed with avast after all this but don't know what we should replace it with, if anything.
The guy who sold the computer to us years ago said it was better than norton or macafee because they slow down your computer too much.
I just want something that works better. We have a content filter so we avoid a lot of questionable sites that way, but obviously we still are running into problems that avast doesn't catch.

IndiGenus
2010-06-25, 03:44
Well, no one AV is going to catch everything. With that said, for the free products I recommend Avira Antivir. If anything sometimes it's too aggressive and will give false positives, but I think it's the best of the 3 big free "A's" (AVG, Avast, Avira).

http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html

Make sure to uninstall Avast first if you do decide to switch.

JarJar
2010-06-25, 04:15
that's true, are the ones you have to buy better?

IndiGenus
2010-06-25, 04:23
that's true, are the ones you have to buy better?
Not necessarily, and they do tend to slow down older PC's. The nice thing about the "suites" is that it's all in one place and easier to manage. I prefer the "roll my own" method but it involves installing different programs, keeping them updated and staying on top of things. It's more a matter of what you prefer. But Avira comes up near the top in most tests against some of the top AV's. Here is the rest of what I recommend if you want to come up with your own.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here is a list of some free and evaluation versions to try:
AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
Avast Antivirus Home Version--Free (http://www.avast.com/eng/avast_4_home.html)
Antivir Personal - Free (http://www.free-av.com/)

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.
Online-Armor (http://www.tallemu.com/free-firewall-protection-software.html)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/)
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)

Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)

Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)

Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.

JarJar
2010-06-25, 06:54
We have always squeaked by just with Avast and sometimes spybot and similar programs because I never really known what all we needed to be doing. Helps a LOT to have your to do list, thanks.

IndiGenus
2010-06-26, 17:17
Glad it helps.

Since things appear to be running pretty well at this time we should clean up the tools we've used.

Uninstall Combofix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

The above procedure will:

Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
For the remainder you can do the following:

Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

JarJar
2010-06-29, 06:48
Do you know anything about Outlook? I use outlook 2003 and for some reason it is having problems sending and receiving. I've been just logging onto my e-mail website, but I really dislike it and wish I could just use outlook. I've checked my settings and unchecked authenticate outgoing server and lengthened the server timeout but it just cancels my ingoing and outgoing server when I try to test the account. It says it has successfully established the network connection. The microsoft website doesn't really help with the error code so I will keep looking around to see if anybody knows what to do. thanks

IndiGenus
2010-06-29, 15:58
Are you sure you have all the correct settings? Such as the right port numbers. Who is the email provider?

JarJar
2010-06-29, 20:53
embarq which is now centurylink. It had stopped working after the virus thing started but I figured it would work once everything was cleaned up but still nothing.

IndiGenus
2010-06-30, 00:19
Is that your internet provider? Never heard of them.

Have you tried re-installing the software?

JarJar
2010-06-30, 21:28
it's our phone company/DSL provider - I tried "repair" on Outlook and it didn't help. I suppose something needs to be changed on my settings, but don't know how they got changed to something that doesn't work. ugh

IndiGenus
2010-06-30, 21:35
I assume you a referring to an email account with your provider, not Yahoo or Google, or some other provider, right?

I would suggest you contact them and ask what the settings should be. You may also be able to find the settings on their website for setting up Outlook. They may use some unique port settings that you will need to set.

JarJar
2010-07-01, 07:05
yes & true - I will look

JarJar
2010-07-02, 07:59
my settings match the tutorial on the e-mail website. One thing I have seen on some websites when I did a search for my problem was that there is this idea that firewalls can block the connection to the server. I disabled online armor but that didn't help. Are there other programs from the list you gave me that I should investigate to see if they are doing something to outlook?

When I test the settings in outlook what happens is that it says test account settings was cancelled.

IndiGenus
2010-07-02, 17:51
Well there are many things that could be going on. Rather than having me just point you to links and shotgunning this, I suggest you post for help in a forum area that specializes in this. One suggestion would be to go here (http://forums.whatthetech.com/index.php?showforum=123). I do malware removal help over there and I know the techs there are outstanding too.

You can put a link into the topic here so they know what we've been doing.

Good luck,
Dave

JarJar
2010-07-03, 06:12
thanks :)