View Full Version : Got some browser trouble: redirects and random ad pages opening in new tabs
theredfox
2010-09-11, 02:58
Hi, during the past couple of weeks, I've been having trouble with my browser (IE, Firefox, and Chrome all affected) getting redirected while conducting searches on the web through Google. I've tried scanning with multiple products (Spybot, Ad-Aware, Malware-Bytes, Norton Anti-Virus), and though these searches found multiple malware files that I then was able to fix, the problem I was having with the redirects persisted. I tried installing Redirect Remover on Firefox (what I usually use) to solve it, but that didn't help. So, I thought I'd come to the experts here at Spybot for some more in-depth help :).
In addition to the redirects, I have noticed that svchost.exe will use up to 160,000 K of my memory. I read about this happening in another post here, and thought I should mention it.
Finally, while investigating some quarantined files with Norton, I tried deleting a couple, not knowing what would happen. Now, I get a prompt upon starting Windows that atrpos32.dll can't be found. Not sure if this will be a problem down the road or not. Anyway, thanks for your help!
DDS follows...
DDS (Ver_10-03-17.01) - NTFSx86
Run by Daniel at 19:41:41.32 on Fri 09/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.967 [GMT -5:00]
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.PROBLEM.exe
C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Kyubu] rundll32.exe "c:\windows\atrpos32.dll",Startup
uRun: [Google Update] "c:\documents and settings\daniel\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [CTHelper] CTHELPER.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Jkirova] rundll32.exe "c:\windows\ovovurogehuda.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c1 -f video -m logitech -d 11.0.0.1217
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.PROBLEM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\me7gvhrl.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\daniel\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {1C187B0E-32E9-4CE1-8829-BC613EF88842} - c:\documents and settings\daniel\local settings\application data\{1C187B0E-32E9-4CE1-8829-BC613EF88842}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-8 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-20 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\naveng.sys [2010-9-10 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\navex15.sys [2010-9-10 1362608]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\google\update\GoogleUpdate.exe [2008-11-1 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
=============== Created Last 30 ================
2010-09-10 21:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-09-10 20:42:22 0 d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
2010-09-10 20:42:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 20:42:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:52:17 37 ----a-w- c:\windows\Viewer.ini
2010-09-10 01:50:41 409 ----a-w- c:\windows\SIERRA.IN~
2010-09-10 01:50:30 0 d-----w- C:\SIERRA
2010-09-10 01:47:02 482 ----a-w- c:\windows\SIERRA.INI
2010-09-09 04:00:47 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40:04 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:39:36 0 d-----w- c:\program files\Lavasoft
2010-08-15 23:21:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-15 23:21:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
==================== Find3M ====================
2010-09-10 21:22:08 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-10 23:29:39 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29:30 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2008-02-18 02:10:22 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10:22 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-13 02:20:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111220081113\index.dat
============= FINISH: 19:43:51.32 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
I am looking at possible markers in your log for a Rootkit
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
theredfox
2010-09-12, 17:26
Hey Ken545, thanks for the quick response. I ran the ComboFix this morning and have pasted the log below. Below that is the new DDS log (I'm assuming that's what was meant by a new HijackThis log, but if I'm wrong, I'll gladly replay with what's needed). I've also attached the "attach.zip" file that was created (named it attach2.zip).
Two things happened during the ComboFix scan that I thought I should tell you about. First, after ComboFix found a rootkit and restarted, my Symantec auto-protect kicked in, even though I thought I had disabled it, and informed me that it had encountered a couple of risks (Backdoor.Tidserv.I!inf), and that it could only partially resolve. I have attached this log as well: "symantec log.csv". The second thing that happened was that after ComboFix had completed its entire scan and was restarting my computer, I received a brief notification that some "instruction @ FreeAgentService" or something had failed. Unfortunately, that was all I could read before the notice disappeared and my computer restarted.
Anyway, thanks again for your help! You guys at Spybot rock!
ComboFix log follows:
ComboFix 10-09-11.03 - Daniel 09/12/2010 9:25.1.2 - x86
Running from: c:\documents and settings\Daniel\Desktop\Combo-Fix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Dad\Local Settings\Application Data\{F42AAAB4-FFA0-4963-86AA-FA1C560F477C}
c:\documents and settings\Dad\Local Settings\Application Data\{F42AAAB4-FFA0-4963-86AA-FA1C560F477C}\chrome.manifest
c:\documents and settings\Dad\Local Settings\Application Data\{F42AAAB4-FFA0-4963-86AA-FA1C560F477C}\chrome\content\_cfg.js
c:\documents and settings\Dad\Local Settings\Application Data\{F42AAAB4-FFA0-4963-86AA-FA1C560F477C}\chrome\content\overlay.xul
c:\documents and settings\Dad\Local Settings\Application Data\{F42AAAB4-FFA0-4963-86AA-FA1C560F477C}\install.rdf
c:\documents and settings\Daniel\Local Settings\Application Data\{1C187B0E-32E9-4CE1-8829-BC613EF88842}
c:\documents and settings\Daniel\Local Settings\Application Data\{1C187B0E-32E9-4CE1-8829-BC613EF88842}\chrome.manifest
c:\documents and settings\Daniel\Local Settings\Application Data\{1C187B0E-32E9-4CE1-8829-BC613EF88842}\chrome\content\_cfg.js
c:\documents and settings\Daniel\Local Settings\Application Data\{1C187B0E-32E9-4CE1-8829-BC613EF88842}\chrome\content\overlay.xul
c:\documents and settings\Daniel\Local Settings\Application Data\{1C187B0E-32E9-4CE1-8829-BC613EF88842}\install.rdf
c:\documents and settings\Daniel\My Documents\backup.reg
c:\temp\0b9
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\pthreadVC.dll
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2010-08-12 to 2010-09-12 )))))))))))))))))))))))))))))))
.
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\program files\Seagate
2010-09-12 03:53 . 2010-09-12 03:53 -------- d-----w- c:\program files\Carbonite
2010-09-11 19:16 . 2010-09-11 19:16 -------- d-----w- c:\program files\Common Files\Skype
2010-09-11 00:38 . 2010-09-11 00:39 -------- d-----w- c:\program files\ERUNT
2010-09-10 21:19 . 2010-09-10 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:50 . 2010-09-10 01:50 -------- d-----w- C:\SIERRA
2010-09-09 04:00 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40 . 2010-09-09 03:40 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\Sunbelt Software
2010-09-09 03:40 . 2010-09-09 03:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:39 . 2010-09-09 03:39 -------- d-----w- c:\program files\Lavasoft
2010-09-03 02:04 . 2010-09-03 02:04 214040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-15 23:22 . 2010-08-15 23:22 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 23:21 . 2010-08-15 23:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-12 14:42 . 2006-07-22 02:31 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-12 14:38 . 2006-07-23 19:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-12 11:13 . 2010-08-11 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-12 03:54 . 2006-07-19 17:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-11 22:39 . 2010-01-11 18:37 -------- d-----w- c:\documents and settings\Daniel\Application Data\Skype
2010-09-11 19:10 . 2010-01-11 18:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\skypePM
2010-09-11 04:44 . 2010-08-11 04:16 120 ----a-w- c:\windows\Vhosadi.dat
2010-09-10 20:09 . 2007-06-28 03:33 -------- d-----w- c:\program files\QuickTime
2010-09-10 20:06 . 2007-06-28 03:32 -------- d-----w- c:\program files\Apple Software Update
2010-09-10 18:29 . 2010-08-11 04:16 0 ----a-w- c:\windows\Uromaciwi.bin
2010-09-09 03:39 . 2009-03-17 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-20 00:58 . 2010-08-20 00:58 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3B.tmp
2010-08-20 00:54 . 2010-08-20 00:54 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx39.tmp
2010-08-17 00:15 . 2010-08-17 00:15 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1B.tmp
2010-08-17 00:13 . 2010-08-17 00:13 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx19.tmp
2010-08-15 23:20 . 2006-07-19 16:59 -------- d-----w- c:\program files\Java
2010-08-15 04:13 . 2009-10-15 22:57 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-12 21:09 . 2006-07-19 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2010-08-12 21:07 . 2006-07-19 17:03 -------- d-----w- c:\program files\Dell
2010-08-12 21:07 . 2006-07-19 17:07 -------- d-----w- c:\program files\Real
2010-08-12 20:57 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-08-12 20:56 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-12 20:52 . 2007-06-28 18:48 -------- d-----w- c:\program files\Steam
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\AOL
2010-08-12 20:43 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\aolshare
2010-08-10 23:29 . 2007-12-25 20:31 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29 . 2007-12-25 20:31 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx22.tmp
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx21.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx20.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1F.tmp
2010-08-10 01:23 . 2010-08-10 01:23 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1E.tmp
2010-08-10 01:19 . 2010-08-10 01:19 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1D.tmp
2010-08-10 00:39 . 2010-08-10 00:39 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx5C.tmp
2010-08-10 00:37 . 2010-08-10 00:37 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx56.tmp
2010-08-10 00:33 . 2010-08-10 00:33 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3D.tmp
2010-08-03 21:15 . 2006-09-04 19:56 -------- d-----w- c:\documents and settings\Daniel\Application Data\Image Zone Express
2010-08-01 04:13 . 2010-08-01 04:13 -------- d-----w- c:\documents and settings\Daniel\Application Data\MSNInstaller
2010-07-30 05:29 . 2010-07-30 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-07-30 03:43 . 2010-07-30 03:43 -------- d-----w- c:\program files\Belkin
2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-11 22:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-11 22:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 17:19 . 2010-06-15 17:19 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx15.tmp
2008-02-18 02:10 . 2006-07-22 22:12 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10 . 2006-07-22 22:12 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=c:\windows\pss\YouTube Uploader.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-09-09 03:42 864624 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 00:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 14:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-04-01 18:04 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-12-07 14:26 489472 ----a-w- c:\program files\Logitech\Video\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
2005-12-07 14:33 73728 ----a-w- c:\program files\Logitech\Video\InstallHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcq]
2005-09-14 19:40 229466 ------w- c:\program files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-12 04:08 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-16 04:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 10:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"Kyubu"=rundll32.exe "c:\windows\atrpos32.dll",Startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"CTxfiHlp"=CTXFIHLP.EXE
"Jkirova"=rundll32.exe "c:\windows\ovovurogehuda.dll",Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\dmw2788\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\tubabubba\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 10:43 PM 64288]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/20/2007 11:18 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 12:02 AM 102448]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2008 8:15 PM 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
.
Contents of the 'Scheduled Tasks' folder
2010-09-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 03:42]
2009-09-02 c:\windows\Tasks\Blue Devils - F-Tuning (Ditty Cadence).job
- c:\documents and settings\Daniel\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Naruto\11 Track 11 (rap).m4a [2007-10-07 06:11]
2010-06-16 c:\windows\Tasks\Cancel apartment insurance policy reminder.job
- c:\documents and settings\Daniel\My Documents\Cancel your apartment insurance.doc [2010-06-16 18:24]
2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005Core.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005UA.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2009-01-03 c:\windows\Tasks\Journal reminder.job
- c:\documents and settings\Daniel\My Documents\Journal\reminder 2.txt [2007-08-24 02:00]
2010-09-12 c:\windows\Tasks\Microsoft Office Word 2003.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Word 2003.lnk [2006-07-22 02:03]
2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{1BF8318D-0EC3-416B-BC83-385052EB66C3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\me7gvhrl.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Google Update - c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\1.0.97.0\GoogleUpdate.exe
MSConfigStartUp-revsuqxm - c:\documents and settings\Daniel\Local Settings\Application Data\hkeektqfd\eenbfbgtssd.exe
AddRemove-AndesOLI - c:\andesoli\Uninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-12 09:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3311269471-1733383960-847243865-1005\Software\SecuROM\License information*]
"datasecu"=hex:ec,d2,b5,c5,5b,e0,ba,21,79,a9,45,83,db,8a,91,83,3f,3d,41,48,f7,
01,26,3b,18,b4,d9,d4,20,e8,31,a7,d7,4d,ba,ab,dc,43,ce,bc,a6,9d,f5,eb,71,b7,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(8668)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\CTHELPER.EXE
c:\program files\HP\Digital Imaging\bin\hpqtra08.PROBLEM.exe
c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-09-12 09:51:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-12 14:51
Pre-Run: 92,031,213,568 bytes free
Post-Run: 92,034,752,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - D6CD9E6C4F1696593475FBB527311DC1
[B]Here is the new DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Daniel at 9:58:52.57 on Sun 09/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1303 [GMT -5:00]
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.PROBLEM.exe
C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Daniel\Desktop\dds.com
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\documents and settings\daniel\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [CTHelper] CTHELPER.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c1 -f video -m logitech -d 11.0.0.1217
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.PROBLEM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\me7gvhrl.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\daniel\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-8 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-20 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\naveng.sys [2010-9-10 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\navex15.sys [2010-9-10 1362608]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\google\update\GoogleUpdate.exe [2008-11-1 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
=============== Created Last 30 ================
2010-09-12 14:14:53 0 d-sha-r- C:\cmdcons
2010-09-12 14:10:40 98816 ----a-w- c:\windows\sed.exe
2010-09-12 14:10:40 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 14:10:40 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 14:10:40 161792 ----a-w- c:\windows\SWREG.exe
2010-09-12 03:54:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-09-12 03:54:26 0 d-----w- c:\program files\Seagate
2010-09-12 03:53:11 0 d-----w- c:\program files\Carbonite
2010-09-10 21:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-09-10 20:42:22 0 d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
2010-09-10 20:42:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 20:42:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:52:17 37 ----a-w- c:\windows\Viewer.ini
2010-09-10 01:50:41 409 ----a-w- c:\windows\SIERRA.IN~
2010-09-10 01:50:30 0 d-----w- C:\SIERRA
2010-09-10 01:47:02 482 ----a-w- c:\windows\SIERRA.INI
2010-09-09 04:00:47 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40:04 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:39:36 0 d-----w- c:\program files\Lavasoft
2010-08-15 23:21:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-15 23:21:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
==================== Find3M ====================
2010-09-12 14:38:27 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-10 23:29:39 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29:30 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2008-02-18 02:10:22 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10:22 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-13 02:20:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111220081113\index.dat
============= FINISH: 9:59:21.65 ===============
Great, looks like your CD Rom driver was infected and CF fixed it. What Symantec found where entries in Qoobox and are backups of what CF removed.
It also found entries in your Java Cache, lets flush it all out.
1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.
Still not done, see some more that needs to be removed, This is what I would like you to do.
Run a system cleaner, than, you have Malwarebytes installed, update it , run a quick scan and post the log.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Then rerun DDS and post a new log, we dont use Hijackthis much anymore, forgot to remove it before I posted so not to worry about it.
theredfox
2010-09-13, 00:06
Ok, I did what you suggested. The steps for clearing out the Java didn't line up exactly with the options I was given by whatever Java version I have (must be a minor interface change from an update), so I looked up on Java.com's website how to clear the cache. Here's what I did, just so you know, but I think it accomplished the same thing:
Once inside control panel:
1) Double-clicked Java icon
2) Clicked "Settings" under Temporary Internet Files region of the General tab
3) Clicked "Delete Files"
4) Selected both options (Applications and Applets as well as Trace and Log Files)
5) Clicked "Ok" (cache was then cleared)
I also ran the ATF cleaner, which I think I may have run a few days ago, actually, following some advice I had read in a different forum last week before I found this site. It cleaned out a lot.
When I ran the Malwarebyte's quick scan, though, nothing was found. Wondering if maybe whatever problem I have had been overlooked, I followed it up with a full scan, but again, nothing was found. The log I will post is from the initial quick scan, though I do have the results for the full scan as well.
Finally, Symantec Auto-Protect kicked in again during the Malwarebyte's full scan, this time coming up with 9 more instances of the Backdoor.Tidserv.I!inf. I've attached the log of this as well if you want to look at it, but I deleted most of the previous history for simplicity's sake. It seems that this time it caught instances of the infection in system restore. This is attached as symantec log2.txt.
Again, thanks SO MUCH for your help! I really appreciate this.
Malwarebyte's Quick Scan log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4601
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
9/12/2010 1:25:27 PM
mbam-log-2010-09-12 (13-25-27).txt
Scan type: Quick scan
Objects scanned: 157784
Time elapsed: 6 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Updated DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Daniel at 16:45:41.67 on Sun 09/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1038 [GMT -5:00]
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.PROBLEM.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Daniel\Desktop\dds.com
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\documents and settings\daniel\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [CTHelper] CTHELPER.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08c1 -f video -m logitech -d 11.0.0.1217
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} - hxxp://u3.sandisk.com/download/apps/LPInstaller.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\me7gvhrl.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\daniel\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-8 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-5-20 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\naveng.sys [2010-9-10 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100910.003\navex15.sys [2010-9-10 1362608]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\google\update\GoogleUpdate.exe [2008-11-1 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
=============== Created Last 30 ================
2010-09-12 14:14:53 0 d-sha-r- C:\cmdcons
2010-09-12 14:10:40 98816 ----a-w- c:\windows\sed.exe
2010-09-12 14:10:40 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 14:10:40 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 14:10:40 161792 ----a-w- c:\windows\SWREG.exe
2010-09-12 03:54:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-09-12 03:54:26 0 d-----w- c:\program files\Seagate
2010-09-12 03:53:11 0 d-----w- c:\program files\Carbonite
2010-09-10 21:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-09-10 20:42:22 0 d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
2010-09-10 20:42:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 20:42:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:52:17 37 ----a-w- c:\windows\Viewer.ini
2010-09-10 01:50:41 409 ----a-w- c:\windows\SIERRA.IN~
2010-09-10 01:50:30 0 d-----w- C:\SIERRA
2010-09-10 01:47:02 482 ----a-w- c:\windows\SIERRA.INI
2010-09-09 04:00:47 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43:00 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40:04 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:39:36 0 d-----w- c:\program files\Lavasoft
2010-08-15 23:21:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-15 23:21:24 423656 ----a-w- c:\windows\system32\deployJava1.dll
==================== Find3M ====================
2010-09-12 21:42:19 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-10 23:29:39 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29:30 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2008-02-18 02:10:22 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10:22 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-13 02:20:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111220081113\index.dat
============= FINISH: 16:46:25.40 ===============
Hi,
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above the link to this thread
http://forums.spybot.info/showthread.php?t=59398
Collect::
c:\windows\Vhosadi.dat
c:\windows\Uromaciwi.bin
c:\windows\atrpos32.dll
c:\windows\ovovurogehuda.dll
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Kyubu"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Jkirova"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
theredfox
2010-09-13, 02:23
All right, thanks for being so prompt in replying Ken545. I noticed that in the code text from above, two startup processes were listed. I actually saw these a few days ago when checking out my startup processes, and since I didn't recognize them, I unchecked them.
After following your instructions, here is the log for ComboFix's scan...
ComboFix scan log:
ComboFix 10-09-12.01 - Daniel 09/12/2010 18:57:41.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1060 [GMT -5:00]
Running from: c:\documents and settings\Daniel\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Daniel\Desktop\CFScript.txt
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
file zipped: c:\windows\ovovurogehuda.dll
file zipped: c:\windows\Uromaciwi.bin
file zipped: c:\windows\Vhosadi.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\ovovurogehuda.dll
c:\windows\Uromaciwi.bin
c:\windows\Vhosadi.dat
.
((((((((((((((((((((((((( Files Created from 2010-08-13 to 2010-09-13 )))))))))))))))))))))))))))))))
.
2010-09-12 21:44 . 2010-09-12 21:44 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-09-12 21:44 . 2010-09-12 21:44 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-09-12 21:43 . 2010-09-12 21:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\program files\Seagate
2010-09-12 03:53 . 2010-09-12 17:57 -------- d-----w- c:\program files\Carbonite
2010-09-11 19:16 . 2010-09-11 19:16 -------- d-----w- c:\program files\Common Files\Skype
2010-09-11 00:38 . 2010-09-11 00:39 -------- d-----w- c:\program files\ERUNT
2010-09-10 21:19 . 2010-09-10 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:50 . 2010-09-10 01:50 -------- d-----w- C:\SIERRA
2010-09-09 04:00 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40 . 2010-09-09 03:40 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\Sunbelt Software
2010-09-09 03:40 . 2010-09-09 03:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:40 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-09 03:39 . 2010-09-09 03:39 -------- d-----w- c:\program files\Lavasoft
2010-09-03 02:04 . 2010-09-03 02:04 214040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-15 23:22 . 2010-08-15 23:22 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 23:21 . 2010-08-15 23:21 503808 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\msvcp71.dll
2010-08-15 23:21 . 2010-08-15 23:21 499712 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\jmc.dll
2010-08-15 23:21 . 2010-08-15 23:21 61440 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4227d90b-n\decora-sse.dll
2010-08-15 23:21 . 2010-08-15 23:21 348160 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\msvcr71.dll
2010-08-15 23:21 . 2010-08-15 23:21 12800 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4227d90b-n\decora-d3d.dll
2010-08-15 23:21 . 2010-08-15 23:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-12 23:53 . 2006-07-22 02:31 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-12 23:48 . 2006-07-19 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-09-12 21:42 . 2006-07-23 19:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-12 18:01 . 2006-07-19 17:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-12 11:13 . 2010-08-11 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 22:39 . 2010-01-11 18:37 -------- d-----w- c:\documents and settings\Daniel\Application Data\Skype
2010-09-11 19:10 . 2010-01-11 18:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\skypePM
2010-09-10 20:09 . 2007-06-28 03:33 -------- d-----w- c:\program files\QuickTime
2010-09-10 20:06 . 2007-06-28 03:32 -------- d-----w- c:\program files\Apple Software Update
2010-09-09 03:39 . 2009-03-17 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-20 00:58 . 2010-08-20 00:58 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3B.tmp
2010-08-20 00:54 . 2010-08-20 00:54 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx39.tmp
2010-08-17 00:15 . 2010-08-17 00:15 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1B.tmp
2010-08-17 00:13 . 2010-08-17 00:13 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx19.tmp
2010-08-15 23:20 . 2006-07-19 16:59 -------- d-----w- c:\program files\Java
2010-08-15 04:13 . 2009-10-15 22:57 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-12 21:09 . 2006-07-19 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2010-08-12 21:07 . 2006-07-19 17:03 -------- d-----w- c:\program files\Dell
2010-08-12 21:07 . 2006-07-19 17:07 -------- d-----w- c:\program files\Real
2010-08-12 20:57 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-08-12 20:56 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-12 20:52 . 2007-06-28 18:48 -------- d-----w- c:\program files\Steam
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\AOL
2010-08-12 20:43 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\aolshare
2010-08-10 23:29 . 2007-12-25 20:31 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29 . 2007-12-25 20:31 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx22.tmp
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx21.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx20.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1F.tmp
2010-08-10 01:23 . 2010-08-10 01:23 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1E.tmp
2010-08-10 01:19 . 2010-08-10 01:19 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1D.tmp
2010-08-10 00:39 . 2010-08-10 00:39 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx5C.tmp
2010-08-10 00:37 . 2010-08-10 00:37 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx56.tmp
2010-08-10 00:33 . 2010-08-10 00:33 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3D.tmp
2010-08-03 21:15 . 2006-09-04 19:56 -------- d-----w- c:\documents and settings\Daniel\Application Data\Image Zone Express
2010-08-01 04:13 . 2010-08-01 04:13 -------- d-----w- c:\documents and settings\Daniel\Application Data\MSNInstaller
2010-07-30 05:29 . 2010-07-30 05:29 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-07-30 05:29 . 2010-07-30 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-07-30 03:43 . 2010-07-30 03:43 -------- d-----w- c:\program files\Belkin
2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 04:47 . 2010-06-24 04:47 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb52.tmp.exe
2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-11 22:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-11 22:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 17:19 . 2010-06-15 17:19 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx15.tmp
2008-02-18 02:10 . 2006-07-22 22:12 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10 . 2006-07-22 22:12 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=c:\windows\pss\YouTube Uploader.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-09-09 03:42 864624 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 00:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 14:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-04-01 18:04 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-12-07 14:26 489472 ----a-w- c:\program files\Logitech\Video\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
2005-12-07 14:33 73728 ----a-w- c:\program files\Logitech\Video\InstallHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcq]
2005-09-14 19:40 229466 ------w- c:\program files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-12 04:08 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-16 04:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 10:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"CTxfiHlp"=CTXFIHLP.EXE
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\dmw2788\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\tubabubba\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 10:43 PM 64288]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 12:02 AM 102448]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2008 8:15 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
.
Contents of the 'Scheduled Tasks' folder
2010-09-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 03:42]
2009-09-02 c:\windows\Tasks\Blue Devils - F-Tuning (Ditty Cadence).job
- c:\documents and settings\Daniel\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Naruto\11 Track 11 (rap).m4a [2007-10-07 06:11]
2010-06-16 c:\windows\Tasks\Cancel apartment insurance policy reminder.job
- c:\documents and settings\Daniel\My Documents\Cancel your apartment insurance.doc [2010-06-16 18:24]
2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005Core.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005UA.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2009-01-03 c:\windows\Tasks\Journal reminder.job
- c:\documents and settings\Daniel\My Documents\Journal\reminder 2.txt [2007-08-24 02:00]
2010-09-12 c:\windows\Tasks\Microsoft Office Word 2003.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Word 2003.lnk [2006-07-22 02:03]
2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{1BF8318D-0EC3-416B-BC83-385052EB66C3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\me7gvhrl.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-12 19:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3311269471-1733383960-847243865-1005\Software\SecuROM\License information*]
"datasecu"=hex:ec,d2,b5,c5,5b,e0,ba,21,79,a9,45,83,db,8a,91,83,3f,3d,41,48,f7,
01,26,3b,18,b4,d9,d4,20,e8,31,a7,d7,4d,ba,ab,dc,43,ce,bc,a6,9d,f5,eb,71,b7,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-12 19:09:20
ComboFix-quarantined-files.txt 2010-09-13 00:09
ComboFix2.txt 2010-09-12 14:51
Pre-Run: 92,097,712,128 bytes free
Post-Run: 92,077,613,056 bytes free
- - End Of File - - 2F2396F79105F38C6F85D4DDC4FCDEA2
Upload was successful
You didn't ask for these, but just in case, I've attached another DDS log.
theredfox
2010-09-13, 02:26
*By startup processes, I mean Kyubu and Jkirova*
By startup processes, I mean Kyubu and Jkirova* <--There gone along with the offending files.
How are things running now ?
Lets run a free online virus scanner , it may pick up something we missed.
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
theredfox
2010-09-13, 05:24
I ran the ESET scan, and it found two instances of the same trojan. I exported the scan results and posted them below, but I couldn't find the log file in the ESET directory folder.
So, during the scan (and just in general), my Symantec Auto-Protect kept informing me about that same Backdoor.Tidserv.I!inf issue. It seems like it keeps encountering it anew or something. Is there anyway to permanently resolve that risk?
ESET log:
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1258\A0108930.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
Good Morning,
We need to clear out all your restore points as ESET found a bad file in there, there may be more, but lets hang off a bit until were done.
The warning your getting could be part of the rootkit that Combofix removed, there may be more it didn't find.
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
Please post the content of the TDSSKiller log
theredfox
2010-09-13, 20:54
Looks like nothing was found. Here are the results:
2010/09/13 13:53:37.0687 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/13 13:53:37.0687 ================================================================================
2010/09/13 13:53:37.0687 SystemInfo:
2010/09/13 13:53:37.0687
2010/09/13 13:53:37.0687 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/13 13:53:37.0687 Product type: Workstation
2010/09/13 13:53:37.0687 ComputerName: DANIEL
2010/09/13 13:53:37.0687 UserName: Daniel
2010/09/13 13:53:37.0687 Windows directory: C:\WINDOWS
2010/09/13 13:53:37.0687 System windows directory: C:\WINDOWS
2010/09/13 13:53:37.0687 Processor architecture: Intel x86
2010/09/13 13:53:37.0687 Number of processors: 2
2010/09/13 13:53:37.0687 Page size: 0x1000
2010/09/13 13:53:37.0687 Boot type: Normal boot
2010/09/13 13:53:37.0687 ================================================================================
2010/09/13 13:53:37.0984 Initialize success
2010/09/13 13:53:47.0578 ================================================================================
2010/09/13 13:53:47.0578 Scan started
2010/09/13 13:53:47.0578 Mode: Manual;
2010/09/13 13:53:47.0578 ================================================================================
2010/09/13 13:53:48.0062 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/09/13 13:53:48.0203 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/13 13:53:48.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/13 13:53:48.0234 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/09/13 13:53:48.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/13 13:53:48.0359 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/09/13 13:53:48.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/13 13:53:48.0515 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/09/13 13:53:48.0531 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/09/13 13:53:48.0546 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/09/13 13:53:48.0578 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/09/13 13:53:48.0593 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/09/13 13:53:48.0609 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/09/13 13:53:48.0625 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/09/13 13:53:48.0671 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/09/13 13:53:48.0750 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/09/13 13:53:48.0812 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/09/13 13:53:48.0843 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/09/13 13:53:48.0890 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/09/13 13:53:48.0968 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/09/13 13:53:49.0031 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/13 13:53:49.0140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/13 13:53:49.0375 ati2mtag (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/09/13 13:53:49.0468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/13 13:53:49.0531 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/13 13:53:49.0593 BCM42RLY (438179abe9b7a922a21b8d6369ff52ff) C:\WINDOWS\System32\BCM42RLY.SYS
2010/09/13 13:53:49.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/13 13:53:49.0890 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/09/13 13:53:49.0937 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/13 13:53:50.0015 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/13 13:53:50.0093 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/09/13 13:53:50.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/13 13:53:50.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/13 13:53:50.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/13 13:53:50.0375 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/09/13 13:53:50.0406 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/09/13 13:53:50.0453 CT20XUT.DLL (1fc326524a54e2f07caa851a6c92f864) C:\WINDOWS\system32\CT20XUT.DLL
2010/09/13 13:53:50.0515 ctac32k (a57a4a823b242aad1e090b86b6f8c5bf) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/09/13 13:53:50.0546 ctaud2k (c4aa86490482104c219c040f9e91eda8) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/09/13 13:53:50.0593 ctdvda2k (3e14e6d3cf3ddb9870925a73e7a87432) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/09/13 13:53:50.0687 CTEXFIFX.DLL (82bd15b057cc7de8dd17c6ddb030f637) C:\WINDOWS\system32\CTEXFIFX.DLL
2010/09/13 13:53:50.0750 CTHWIUT.DLL (41e06b6baf8dbd998745a21ea6f01206) C:\WINDOWS\system32\CTHWIUT.DLL
2010/09/13 13:53:50.0781 ctprxy2k (0c57a7246e8fc0815bd6225a2704c9ea) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/09/13 13:53:50.0875 ctsfm2k (6b7c9d1f04b799eb67cc9063f5f754f7) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/09/13 13:53:50.0968 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/09/13 13:53:51.0062 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/09/13 13:53:51.0187 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/13 13:53:51.0296 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/09/13 13:53:51.0328 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/09/13 13:53:51.0359 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/09/13 13:53:51.0359 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/09/13 13:53:51.0375 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/09/13 13:53:51.0390 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/09/13 13:53:51.0406 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/09/13 13:53:51.0437 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/09/13 13:53:51.0484 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/09/13 13:53:51.0546 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/13 13:53:51.0765 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/13 13:53:51.0843 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/13 13:53:51.0890 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/13 13:53:51.0921 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/09/13 13:53:51.0984 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/13 13:53:52.0031 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/09/13 13:53:52.0093 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/09/13 13:53:52.0218 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2010/09/13 13:53:52.0296 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2010/09/13 13:53:52.0328 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/09/13 13:53:52.0421 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/09/13 13:53:52.0500 emupia (4265a86853cd409c26ac2f0ff7dbc1c6) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/09/13 13:53:52.0515 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/09/13 13:53:52.0609 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/13 13:53:52.0671 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/13 13:53:52.0703 FilterService (52cd33f70a70fa71e051d6f9276c4702) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2010/09/13 13:53:52.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/13 13:53:52.0796 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/13 13:53:52.0890 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/13 13:53:52.0937 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/13 13:53:53.0031 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/13 13:53:53.0078 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/09/13 13:53:53.0109 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/13 13:53:53.0140 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
2010/09/13 13:53:53.0250 ha20x2k (e5010dec0f66407735aaf005607ba7ed) C:\WINDOWS\system32\drivers\ha20x2k.sys
2010/09/13 13:53:53.0343 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2010/09/13 13:53:53.0421 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/13 13:53:53.0484 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/09/13 13:53:53.0578 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/09/13 13:53:53.0640 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/09/13 13:53:53.0671 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/09/13 13:53:53.0796 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/13 13:53:53.0890 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/09/13 13:53:53.0984 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/09/13 13:53:54.0078 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/13 13:53:54.0125 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/13 13:53:54.0171 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/09/13 13:53:54.0265 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/13 13:53:54.0359 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/13 13:53:54.0406 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/13 13:53:54.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/13 13:53:54.0515 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/13 13:53:54.0546 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/13 13:53:54.0671 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/13 13:53:54.0687 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/13 13:53:54.0750 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/13 13:53:54.0812 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/13 13:53:54.0890 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/13 13:53:54.0984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/13 13:53:55.0046 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/13 13:53:55.0156 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/09/13 13:53:55.0234 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/09/13 13:53:55.0468 Lvckap (bd0d8c9e3aef163dafa0a3c27106d049) C:\WINDOWS\system32\drivers\Lvckap.sys
2010/09/13 13:53:55.0718 lvmvdrv (c2ad4603075b1c58d92b6bb00e08e958) C:\WINDOWS\system32\drivers\lvmvdrv.sys
2010/09/13 13:53:55.0953 lvpopflt (7f30e9ac611438039c79ca4bcd0a2610) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
2010/09/13 13:53:56.0109 LVPrcMon (4fd5a6335fb4fc1f758088b2f90613fe) C:\WINDOWS\system32\drivers\LVPrcMon.sys
2010/09/13 13:53:56.0156 LVUSBSta (c0883f7914afa7feaa41ada0d513ac16) C:\WINDOWS\system32\drivers\lvusbsta.sys
2010/09/13 13:53:56.0296 LVUVC (92d03dc19eae9d0a86735705e374fdad) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2010/09/13 13:53:56.0359 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/13 13:53:56.0421 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/13 13:53:56.0500 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/09/13 13:53:56.0562 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/13 13:53:56.0656 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/13 13:53:56.0734 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/13 13:53:56.0812 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/09/13 13:53:56.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/13 13:53:57.0093 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/13 13:53:57.0187 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/13 13:53:57.0281 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/13 13:53:57.0343 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/13 13:53:57.0390 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/13 13:53:57.0484 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/13 13:53:57.0515 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/13 13:53:57.0625 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/13 13:53:57.0671 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/13 13:53:57.0859 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100910.003\naveng.sys
2010/09/13 13:53:57.0921 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100910.003\navex15.sys
2010/09/13 13:53:58.0078 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/13 13:53:58.0125 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/13 13:53:58.0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/13 13:53:58.0203 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/13 13:53:58.0234 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/13 13:53:58.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/13 13:53:58.0390 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/13 13:53:58.0531 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/13 13:53:58.0687 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/13 13:53:58.0781 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/13 13:53:58.0890 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/09/13 13:53:58.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/13 13:53:59.0031 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/13 13:53:59.0125 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/13 13:53:59.0140 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/13 13:53:59.0203 ossrv (b0a7d75c6be3dd5ca4e87f8f20a48601) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/09/13 13:53:59.0250 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/13 13:53:59.0296 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/13 13:53:59.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/13 13:53:59.0421 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/13 13:53:59.0500 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/13 13:53:59.0593 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/13 13:53:59.0828 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/09/13 13:53:59.0906 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/09/13 13:54:00.0000 Point32 (3b6973d60bde757c53bb76842d31318e) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/09/13 13:54:00.0078 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/13 13:54:00.0093 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/13 13:54:00.0109 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/13 13:54:00.0156 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/13 13:54:00.0250 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/09/13 13:54:00.0312 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/09/13 13:54:00.0390 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/09/13 13:54:00.0421 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/09/13 13:54:00.0468 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/09/13 13:54:00.0515 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/13 13:54:00.0562 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/13 13:54:00.0578 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/13 13:54:00.0625 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/13 13:54:00.0703 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/13 13:54:00.0796 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/13 13:54:00.0812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/13 13:54:00.0828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/13 13:54:00.0890 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/13 13:54:00.0968 RT61 (581e74880aeb1dba1cb5ac8e6e6c0a69) C:\WINDOWS\system32\DRIVERS\RT61.sys
2010/09/13 13:54:01.0093 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/09/13 13:54:01.0109 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/09/13 13:54:01.0156 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/13 13:54:01.0203 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/13 13:54:01.0328 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/13 13:54:01.0437 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/13 13:54:01.0562 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/09/13 13:54:01.0625 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/13 13:54:01.0703 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/09/13 13:54:01.0828 SPBBCDrv (cc22bf5631c4837abcd81d75de8fb1aa) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/09/13 13:54:01.0890 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/13 13:54:01.0953 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/13 13:54:02.0031 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/13 13:54:02.0078 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/13 13:54:02.0109 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/13 13:54:02.0125 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/13 13:54:02.0187 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/09/13 13:54:02.0203 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/09/13 13:54:02.0281 SymEvent (5156f63e684e8c864ff40e40d5309f41) C:\Program Files\Symantec\SYMEVENT.SYS
2010/09/13 13:54:02.0359 SYMREDRV (5314e345dfc068504cfb2676d3b2ca39) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/09/13 13:54:02.0500 SYMTDI (8cd0a1478256240249b8ee88e6f25e94) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/09/13 13:54:02.0562 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/09/13 13:54:02.0625 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/09/13 13:54:02.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/13 13:54:02.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/13 13:54:02.0984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/13 13:54:03.0000 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/13 13:54:03.0046 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/13 13:54:03.0078 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/09/13 13:54:03.0125 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/13 13:54:03.0171 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/09/13 13:54:03.0234 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/13 13:54:03.0312 USBAAPL (df38374e12e73c25b37b6f8a9b8622ef) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/13 13:54:03.0359 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/09/13 13:54:03.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/13 13:54:03.0453 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/13 13:54:03.0515 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/13 13:54:03.0578 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/13 13:54:03.0656 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/13 13:54:03.0703 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/13 13:54:03.0781 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/13 13:54:03.0859 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/13 13:54:03.0937 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/09/13 13:54:04.0000 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/09/13 13:54:04.0109 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/13 13:54:04.0203 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/13 13:54:04.0343 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/09/13 13:54:04.0468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/13 13:54:04.0578 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/09/13 13:54:04.0671 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/13 13:54:04.0781 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/13 13:54:04.0875 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/13 13:54:04.0937 ================================================================================
2010/09/13 13:54:04.0937 Scan finished
2010/09/13 13:54:04.0937 ================================================================================
Ok, lets run another rootkit scanner. That one just checked for the TDSS rootkit which appears gone, but there are others that may not be showing on your logs.
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
theredfox
2010-09-16, 06:40
Hey Ken, sorry I have been MIA for a couple of days here. I ran the GMER scan the same day you suggested it. It was taking a long time, so I left my computer running overnight and came back to it in the morning. It had finished the scan, but as I went to click on the "Save" button, I got the blue screen error. At the time, I was running late for class, so I didn't have the chance to write down the technical information there, and I just manually shut off the computer.
The next time I got on my computer, I did the Microsoft Error Reporting when it popped up, telling me I had a recovered from a serious error. The website page that eventually opened from Microsoft said that the error had something to do with a driver. Well, I wasn't sure what it could be, but I suspected that it may have had something to do with installing and uninstalling the software for an external hard drive from Seagate.
I ran Windows update next, and found that there were 8 updates (mostly Microsoft security updates) that needed to be downloaded (I'm not sure why they weren't brought to my attention by the update checker--they normally are). So, I downloaded them and restarted my computer.
Once the computer was up and running again, I decided to update my drivers via the hardware device manager. I went down the list of hardware devices on my computer, searching to see if there were any available updates, but I wasn't finding any until I got to my sound card. An updated driver was downloaded for my audio codecs, but as soon as that was done, I got another blue screen.
I shut off and restarted my computer yet again, this time going into safe mode as the blue screen prompt suggested. I used Windows System restore to revert back to the settings I had from the 10th (last Friday), but after the restoration was complete and I restarted the computer, I was sent immediately to the blue screen.
Well, at this point, I decided I should let you know what was going on. I'm using my laptop now to post here. The technical information given by the most recent blue screen, the one I get on starting the computer, says:
STOP: 0x0000007E (0xC0000005,0xA936E978,0xBA5031A4,0xBA502EA0)
I'm kind of lost right now as to what to do. I'm thinking of trying to restore to an even earlier point, but I wanted to see what you say about it. I'm hoping you can shed some light on the matter! Thanks again for your help!
Go ahead and restore to an earlier time if you can. One of the things about cleaning malware off of a system is to just leave it be until the computer is clean. I have always gone by the saying "If it ain't broke dont fix it" what I mean by that is if say your sound card is running fine, leave it be , but thats me. The problem your having now is software related updating those drivers , if the restore does not get you up and running let me know and I can link you to some great windows support sites as we just do malware removal on this one.
Let me know how it went
theredfox
2010-09-17, 03:58
Well, it looks like the second system restore I did worked. I was able to successfully complete the GMER scan and save the log file, so here it is...
After pasting the log here, it looks like the formatting is off, so I'll also upload the original file for ease in reading it.
GMER Scan Log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-16 20:36:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\kwdyqfog.sys
---- System - GMER 1.0.15 ----
SSDT 8A71B1F8 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8DF6CB0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8DF6F10]
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB99B7000, 0x1C5D58, 0xE8000020]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A42A7D20
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Threads - GMER 1.0.15 ----
Thread System [4:692] A863083A
---- EOF - GMER 1.0.15 ----
Hi,
This is what I would like you to do since you used System Restore.
1.
Do not install anymore drivers, programs , hardware , this goes for uninstalling them also, just leave things be until where done.
2.
Drag Combofix to the trash and redownload it as its updated on a regular basis and run it again and post the log.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
theredfox
2010-09-18, 06:23
Hey Ken, here are the results from the ComboFix scan...
ComboFix 10-09-17.04 - Daniel 09/17/2010 19:22:59.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1236 [GMT -5:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.
2010-09-16 04:12 . 2008-07-11 20:40 321512 ----a-w- c:\windows\system32\ctdlang.dat
2010-09-13 01:18 . 2010-09-13 01:18 -------- d-----w- c:\program files\ESET
2010-09-12 21:44 . 2010-09-12 21:44 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-09-12 21:44 . 2010-09-12 21:44 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-09-12 21:43 . 2010-09-12 21:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\program files\Seagate
2010-09-12 03:53 . 2010-09-13 00:14 -------- d-----w- c:\program files\Carbonite
2010-09-11 19:16 . 2010-09-11 19:16 -------- d-----w- c:\program files\Common Files\Skype
2010-09-11 00:38 . 2010-09-11 00:39 -------- d-----w- c:\program files\ERUNT
2010-09-10 21:19 . 2010-09-10 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:50 . 2010-09-10 01:50 -------- d-----w- C:\SIERRA
2010-09-09 04:00 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40 . 2010-09-09 03:40 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\Sunbelt Software
2010-09-09 03:40 . 2010-09-09 03:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:40 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-09 03:39 . 2010-09-09 03:39 -------- d-----w- c:\program files\Lavasoft
2010-09-03 02:04 . 2010-09-03 02:04 214040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 00:18 . 2006-07-22 02:31 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-17 20:31 . 2006-07-23 19:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-12 23:48 . 2006-07-19 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-09-12 18:01 . 2006-07-19 17:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-12 11:13 . 2010-08-11 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 22:39 . 2010-01-11 18:37 -------- d-----w- c:\documents and settings\Daniel\Application Data\Skype
2010-09-11 19:10 . 2010-01-11 18:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\skypePM
2010-09-10 20:09 . 2007-06-28 03:33 -------- d-----w- c:\program files\QuickTime
2010-09-10 20:06 . 2007-06-28 03:32 -------- d-----w- c:\program files\Apple Software Update
2010-09-09 03:39 . 2009-03-17 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-20 00:58 . 2010-08-20 00:58 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3B.tmp
2010-08-20 00:54 . 2010-08-20 00:54 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx39.tmp
2010-08-17 13:17 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 00:15 . 2010-08-17 00:15 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1B.tmp
2010-08-17 00:13 . 2010-08-17 00:13 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx19.tmp
2010-08-15 23:22 . 2010-08-15 23:22 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 23:21 . 2010-08-15 23:21 503808 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\msvcp71.dll
2010-08-15 23:21 . 2010-08-15 23:21 499712 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\jmc.dll
2010-08-15 23:21 . 2010-08-15 23:21 61440 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4227d90b-n\decora-sse.dll
2010-08-15 23:21 . 2010-08-15 23:21 348160 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\msvcr71.dll
2010-08-15 23:21 . 2010-08-15 23:21 12800 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4227d90b-n\decora-d3d.dll
2010-08-15 23:21 . 2010-08-15 23:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 23:20 . 2006-07-19 16:59 -------- d-----w- c:\program files\Java
2010-08-15 04:13 . 2009-10-15 22:57 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-12 21:09 . 2006-07-19 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2010-08-12 21:07 . 2006-07-19 17:03 -------- d-----w- c:\program files\Dell
2010-08-12 21:07 . 2006-07-19 17:07 -------- d-----w- c:\program files\Real
2010-08-12 20:57 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-08-12 20:56 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-12 20:52 . 2007-06-28 18:48 -------- d-----w- c:\program files\Steam
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\AOL
2010-08-12 20:43 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\aolshare
2010-08-10 23:29 . 2007-12-25 20:31 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29 . 2007-12-25 20:31 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx22.tmp
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx21.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx20.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1F.tmp
2010-08-10 01:23 . 2010-08-10 01:23 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1E.tmp
2010-08-10 01:19 . 2010-08-10 01:19 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1D.tmp
2010-08-10 00:39 . 2010-08-10 00:39 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx5C.tmp
2010-08-10 00:37 . 2010-08-10 00:37 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx56.tmp
2010-08-10 00:33 . 2010-08-10 00:33 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3D.tmp
2010-08-03 21:15 . 2006-09-04 19:56 -------- d-----w- c:\documents and settings\Daniel\Application Data\Image Zone Express
2010-08-01 04:13 . 2010-08-01 04:13 -------- d-----w- c:\documents and settings\Daniel\Application Data\MSNInstaller
2010-07-30 05:29 . 2010-07-30 05:29 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-07-30 05:29 . 2010-07-30 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-07-30 03:43 . 2010-07-30 03:43 -------- d-----w- c:\program files\Belkin
2010-07-22 15:49 . 2004-08-11 22:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 15:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 04:47 . 2010-06-24 04:47 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb52.tmp.exe
2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-11 22:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2008-02-18 02:10 . 2006-07-22 22:12 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10 . 2006-07-22 22:12 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-09-13_00.06.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-17 20:32 . 2010-09-17 20:32 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
+ 2010-09-16 04:12 . 2008-07-15 23:11 92696 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\emupia2k.sys
+ 2010-09-16 04:12 . 2008-07-15 23:09 14360 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctprxy2k.sys
+ 2010-09-16 04:12 . 2008-07-11 20:53 86016 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctcoinst.dll
+ 2010-09-16 04:12 . 2008-07-11 20:37 26919 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\ctd20x.dat
+ 2010-09-16 04:12 . 2008-07-11 20:40 56509 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\ctdnlstr.dat
+ 2010-09-16 04:12 . 2008-04-14 00:12 23552 c:\windows\system32\ReinstallBackups\0032\DriverFiles\i386\wdmaud.drv
+ 2010-09-16 04:12 . 2008-04-13 17:45 49408 c:\windows\system32\ReinstallBackups\0032\DriverFiles\i386\stream.sys
+ 2010-09-16 04:12 . 2008-04-13 17:45 60160 c:\windows\system32\ReinstallBackups\0032\DriverFiles\i386\drmk.sys
+ 2010-09-16 04:12 . 2005-11-08 10:14 33792 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\regplib.exe
+ 2010-09-16 04:12 . 2008-07-11 20:39 64512 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\piaproxy.dll
+ 2010-09-16 04:12 . 2008-07-11 20:37 10240 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\killapps.exe
+ 2010-09-16 04:12 . 2001-07-11 15:51 77824 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\eaxac3.dll
+ 2010-09-16 04:12 . 2008-07-11 20:36 32768 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\devreg.dll
+ 2010-09-16 04:12 . 2008-07-11 20:50 45056 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CTxfiSpk.dll
+ 2010-09-16 04:12 . 2008-07-11 20:46 43520 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\Ctxfireg.exe
+ 2010-09-16 04:12 . 2008-07-11 20:50 19968 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\Ctxfihlp.exe
+ 2010-09-16 04:12 . 2008-07-11 20:50 35840 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CTxfiBtn.dll
+ 2010-09-16 04:12 . 2007-03-13 15:32 89336 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ctpxst32.exe
+ 2010-09-16 04:12 . 2007-03-19 16:06 45568 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ctppld.dll
+ 2010-09-16 04:12 . 2008-07-11 20:39 69120 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ctosuser.dll
+ 2010-09-16 04:12 . 2008-07-15 22:23 72728 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CTHWIUT.DLL
+ 2010-09-16 04:12 . 2008-07-11 20:39 49152 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ctdproxy.dll
+ 2010-09-16 04:12 . 2008-07-11 20:39 46592 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ctasio.dll
+ 2010-09-16 04:12 . 2008-07-11 20:46 10752 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\Ct20xspi.dll
+ 2010-09-16 04:12 . 2006-12-05 19:52 48400 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\AddCat.exe
+ 2010-09-16 04:12 . 2008-07-11 20:51 27648 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ac3api.dll
+ 2010-09-16 04:12 . 2005-11-08 10:38 33792 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\a3d.dll
+ 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
- 2006-07-19 16:40 . 2008-07-11 20:37 26919 c:\windows\system32\data\ctd20x.dat
+ 2010-09-16 04:12 . 2008-07-11 20:37 26919 c:\windows\system32\data\ctd20x.dat
+ 2010-09-16 04:12 . 2005-11-08 10:40 9216 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\pfmodnt.sys
+ 2010-09-16 04:12 . 2008-07-11 20:37 2091 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\cts20x.dat
+ 2010-09-16 04:12 . 2008-07-11 20:50 3072 c:\windows\system32\ReinstallBackups\0032\DriverFiles\lang\i386\CtxfiRes.dll
+ 2010-09-16 04:12 . 2008-04-14 00:11 4096 c:\windows\system32\ReinstallBackups\0032\DriverFiles\i386\ksuser.dll
+ 2010-09-16 04:12 . 2008-07-11 20:39 6144 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\sfman32.dll
+ 2010-09-16 04:12 . 2008-07-11 20:37 5120 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\enlocstr.exe
- 2006-07-19 16:40 . 2008-07-11 20:37 2091 c:\windows\system32\data\cts20x.dat
+ 2010-09-16 04:12 . 2008-07-11 20:37 2091 c:\windows\system32\data\cts20x.dat
+ 2006-07-19 16:40 . 2005-11-08 10:30 9216 c:\windows\CTPRES.DLL
+ 2004-08-11 22:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
- 2004-08-11 22:00 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll
- 2004-08-11 22:00 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll
+ 2004-08-11 22:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
+ 2010-09-16 04:19 . 2010-09-16 19:51 347300 c:\windows\system32\Restore\rstrlog.dat
+ 2010-09-16 04:12 . 2008-07-15 23:10 157208 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctsfm2k.sys
+ 2010-09-16 04:12 . 2008-07-15 23:08 127000 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctoss2k.sys
+ 2010-09-16 04:12 . 2008-07-11 20:53 181248 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctdvinst.dll
+ 2010-09-16 04:12 . 2008-07-15 23:08 347080 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctdvda2k.sys
+ 2010-09-16 04:12 . 2008-07-15 23:07 527384 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctaud2k.sys
+ 2010-09-16 04:12 . 2008-07-15 23:06 511000 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ctac32k.sys
+ 2010-09-16 04:12 . 2008-07-11 20:39 275257 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0760W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 277688 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP073AW.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 277688 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0730W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 357983 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0679W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 357983 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0678W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275766 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP055AW.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 276094 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0550W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275508 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP046CW.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275508 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP046BW.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275508 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP046AW.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0469W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0468W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0466W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0465W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0464W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 276282 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0463W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0462W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:39 275836 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\Data\CTP0460W.DAT
+ 2010-09-16 04:12 . 2008-07-11 20:40 321512 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\ctdlang.dat
+ 2010-09-16 04:12 . 2008-04-13 18:19 146048 c:\windows\system32\ReinstallBackups\0032\DriverFiles\i386\portcls.sys
+ 2010-09-16 04:12 . 2008-04-13 18:16 141056 c:\windows\system32\ReinstallBackups\0032\DriverFiles\i386\ks.sys
+ 2010-09-16 04:12 . 2008-07-11 20:39 104448 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\sfms32.dll
+ 2010-09-16 04:12 . 2007-07-11 07:30 782336 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\OALInst.exe
+ 2010-09-16 04:12 . 2008-07-11 20:46 969216 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CTxfispi.exe
+ 2010-09-16 04:12 . 2008-07-11 20:40 110080 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ctemupia.dll
+ 2010-09-16 04:12 . 2007-03-19 16:05 512000 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CTAPO32.dll
+ 2010-09-16 04:12 . 2008-07-15 22:23 170520 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CT20XUT.DLL
+ 2010-09-16 04:12 . 2008-07-11 20:39 174592 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\ct_oal.dll
+ 2010-09-16 04:12 . 2007-08-29 19:22 557159 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\APOIM32.exe
+ 2006-10-19 02:47 . 2010-03-30 17:24 317440 c:\windows\system32\mp4sdecd.dll
- 2006-10-19 02:47 . 2006-10-19 02:47 317440 c:\windows\system32\MP4SDECD.dll
+ 2004-08-11 22:12 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
+ 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2010-03-30 17:24 . 2010-03-30 17:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll
+ 2010-01-29 15:01 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-09-16 04:12 . 2008-07-15 23:12 1173016 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Win2K_XP\i386\ha20x2k.sys
+ 2010-09-16 04:12 . 2008-07-15 22:22 1323544 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\CTEXFIFX.DLL
+ 2010-09-16 04:12 . 2008-07-15 06:08 24089151 c:\windows\system32\ReinstallBackups\0032\DriverFiles\Common\i386\AppSetup.exe
+ 2006-07-22 18:46 . 2010-09-16 03:25 35552200 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=c:\windows\pss\YouTube Uploader.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-09-09 03:42 864624 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 00:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 14:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-04-01 18:04 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-12-07 14:26 489472 ----a-w- c:\program files\Logitech\Video\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
2005-12-07 14:33 73728 ----a-w- c:\program files\Logitech\Video\InstallHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcq]
2005-09-14 19:40 229466 ------w- c:\program files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-12 04:08 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-16 04:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 10:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"CTxfiHlp"=CTXFIHLP.EXE
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\dmw2788\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\tubabubba\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 10:43 PM 64288]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 12:02 AM 102448]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2008 8:15 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
.
Contents of the 'Scheduled Tasks' folder
2010-09-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 03:42]
2009-09-02 c:\windows\Tasks\Blue Devils - F-Tuning (Ditty Cadence).job
- c:\documents and settings\Daniel\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Naruto\11 Track 11 (rap).m4a [2007-10-07 06:11]
2010-06-16 c:\windows\Tasks\Cancel apartment insurance policy reminder.job
- c:\documents and settings\Daniel\My Documents\Cancel your apartment insurance.doc [2010-06-16 18:24]
2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005Core.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005UA.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2009-01-03 c:\windows\Tasks\Journal reminder.job
- c:\documents and settings\Daniel\My Documents\Journal\reminder 2.txt [2007-08-24 02:00]
2010-09-17 c:\windows\Tasks\Microsoft Office Word 2003.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Word 2003.lnk [2006-07-22 02:03]
2010-09-16 c:\windows\Tasks\User_Feed_Synchronization-{1BF8318D-0EC3-416B-BC83-385052EB66C3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\me7gvhrl.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-17 19:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
scanning hidden files ...
c:\docume~1\Daniel\LOCALS~1\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3311269471-1733383960-847243865-1005\Software\SecuROM\License information*]
"datasecu"=hex:ec,d2,b5,c5,5b,e0,ba,21,79,a9,45,83,db,8a,91,83,3f,3d,41,48,f7,
01,26,3b,18,b4,d9,d4,20,e8,31,a7,d7,4d,ba,ab,dc,43,ce,bc,a6,9d,f5,eb,71,b7,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-17 19:33:51
ComboFix-quarantined-files.txt 2010-09-18 00:33
ComboFix2.txt 2010-09-13 00:09
ComboFix3.txt 2010-09-12 14:51
Pre-Run: 91,426,734,080 bytes free
Post-Run: 91,402,031,104 bytes free
- - End Of File - - CE306411340539E25BD72F09CBEEEF01
Hi,
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\drivers\lvuvc.hs
c:\documents and settings\All Users\Application Data\Viewpoint
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
theredfox
2010-09-20, 00:40
Before I ran Combofix with the text file, I double-checked to make sure that Viewpoint wasn't on my progams list, because I remembered having uninstalled it earlier. It looks like it was already uninstalled, though the folder mentioned in the Notepad file was still present in the directory (albeit empty). I went ahead and ran Combofix. Here are the results:
ComboFix 10-09-17.04 - Daniel 09/19/2010 17:24:51.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1177 [GMT -5:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel\Desktop\CFScript.txt
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
FILE ::
"c:\documents and settings\All Users\Application Data\Viewpoint"
"c:\windows\system32\drivers\lvuvc.hs"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\lvuvc.hs
.
((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.
2010-09-16 04:12 . 2008-07-11 20:40 321512 ----a-w- c:\windows\system32\ctdlang.dat
2010-09-13 01:18 . 2010-09-13 01:18 -------- d-----w- c:\program files\ESET
2010-09-12 21:44 . 2010-09-12 21:44 -------- d-sh--w- c:\documents and settings\LocalService\UserData
2010-09-12 21:44 . 2010-09-12 21:44 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-09-12 21:43 . 2010-09-12 21:43 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-09-12 03:54 . 2010-09-12 03:54 -------- d-----w- c:\program files\Seagate
2010-09-12 03:53 . 2010-09-13 00:14 -------- d-----w- c:\program files\Carbonite
2010-09-11 19:16 . 2010-09-11 19:16 -------- d-----w- c:\program files\Common Files\Skype
2010-09-11 00:38 . 2010-09-11 00:39 -------- d-----w- c:\program files\ERUNT
2010-09-10 21:19 . 2010-09-10 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-10 20:42 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-10 20:42 . 2010-09-10 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-10 01:50 . 2010-09-10 01:50 -------- d-----w- C:\SIERRA
2010-09-09 04:00 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-09 03:43 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-09 03:40 . 2010-09-09 03:40 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\Sunbelt Software
2010-09-09 03:40 . 2010-09-09 03:40 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-09 03:40 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-09-09 03:39 . 2010-09-09 03:39 -------- d-----w- c:\program files\Lavasoft
2010-09-03 02:04 . 2010-09-03 02:04 214040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 22:23 . 2006-07-22 02:31 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-12 23:48 . 2006-07-19 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-09-12 18:01 . 2006-07-19 17:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-12 11:13 . 2010-08-11 05:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 22:39 . 2010-01-11 18:37 -------- d-----w- c:\documents and settings\Daniel\Application Data\Skype
2010-09-11 19:10 . 2010-01-11 18:42 -------- d-----w- c:\documents and settings\Daniel\Application Data\skypePM
2010-09-10 20:09 . 2007-06-28 03:33 -------- d-----w- c:\program files\QuickTime
2010-09-10 20:06 . 2007-06-28 03:32 -------- d-----w- c:\program files\Apple Software Update
2010-09-09 03:39 . 2009-03-17 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-20 00:58 . 2010-08-20 00:58 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3B.tmp
2010-08-20 00:54 . 2010-08-20 00:54 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx39.tmp
2010-08-17 13:17 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 00:15 . 2010-08-17 00:15 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1B.tmp
2010-08-17 00:13 . 2010-08-17 00:13 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx19.tmp
2010-08-15 23:22 . 2010-08-15 23:22 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 23:21 . 2010-08-15 23:21 503808 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\msvcp71.dll
2010-08-15 23:21 . 2010-08-15 23:21 499712 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\jmc.dll
2010-08-15 23:21 . 2010-08-15 23:21 61440 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4227d90b-n\decora-sse.dll
2010-08-15 23:21 . 2010-08-15 23:21 348160 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4e865eca-n\msvcr71.dll
2010-08-15 23:21 . 2010-08-15 23:21 12800 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4227d90b-n\decora-d3d.dll
2010-08-15 23:21 . 2010-08-15 23:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 23:20 . 2006-07-19 16:59 -------- d-----w- c:\program files\Java
2010-08-15 04:13 . 2009-10-15 22:57 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-12 21:09 . 2006-07-19 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2010-08-12 21:07 . 2006-07-19 17:03 -------- d-----w- c:\program files\Dell
2010-08-12 21:07 . 2006-07-19 17:07 -------- d-----w- c:\program files\Real
2010-08-12 20:57 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-08-12 20:56 . 2006-07-19 17:03 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-12 20:52 . 2007-06-28 18:48 -------- d-----w- c:\program files\Steam
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-08-12 20:44 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\AOL
2010-08-12 20:43 . 2006-07-19 17:07 -------- d-----w- c:\program files\Common Files\aolshare
2010-08-10 23:29 . 2007-12-25 20:31 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-10 23:29 . 2007-12-25 20:31 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx22.tmp
2010-08-10 01:26 . 2010-08-10 01:26 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx21.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx20.tmp
2010-08-10 01:24 . 2010-08-10 01:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1F.tmp
2010-08-10 01:23 . 2010-08-10 01:23 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1E.tmp
2010-08-10 01:19 . 2010-08-10 01:19 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx1D.tmp
2010-08-10 00:39 . 2010-08-10 00:39 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx5C.tmp
2010-08-10 00:37 . 2010-08-10 00:37 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx56.tmp
2010-08-10 00:33 . 2010-08-10 00:33 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx3D.tmp
2010-08-03 21:15 . 2006-09-04 19:56 -------- d-----w- c:\documents and settings\Daniel\Application Data\Image Zone Express
2010-08-01 04:13 . 2010-08-01 04:13 -------- d-----w- c:\documents and settings\Daniel\Application Data\MSNInstaller
2010-07-30 05:29 . 2010-07-30 05:29 21409808 ----a-w- c:\documents and settings\All Users\Application Data\Belkin\Belkin TrayApp\setup_40216717.exe
2010-07-30 05:29 . 2010-07-30 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin
2010-07-30 03:43 . 2010-07-30 03:43 -------- d-----w- c:\program files\Belkin
2010-07-22 15:49 . 2004-08-11 22:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 15:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 04:47 . 2010-06-24 04:47 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb52.tmp.exe
2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2008-02-18 02:10 . 2006-07-22 22:12 88 --sh--r- c:\windows\system32\2DF8D85242.sys
2008-02-18 02:10 . 2006-07-22 22:12 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot_2010-09-18_00.31.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-19 21:52 . 2010-09-19 21:52 16384 c:\windows\Temp\Perflib_Perfdata_100.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-05-11 441120]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^YouTube Uploader.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\YouTube Uploader.lnk
backup=c:\windows\pss\YouTube Uploader.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-09-09 03:42 864624 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 00:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-30 14:47 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-04-01 18:04 67128 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
2005-12-07 14:26 489472 ----a-w- c:\program files\Logitech\Video\CameraAssistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
2005-12-07 14:33 73728 ----a-w- c:\program files\Logitech\Video\InstallHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcq]
2005-09-14 19:40 229466 ------w- c:\program files\Creative\Shared Files\Media Sniffer\MtdAcq.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-12 04:08 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-16 04:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 10:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"=
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"CTxfiHlp"=CTXFIHLP.EXE
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\dmw2788\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\tubabubba\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/8/2010 10:43 PM 64288]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 12:02 AM 102448]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S2 gupdate1c93c888294d7c2;Google Update Service (gupdate1c93c888294d7c2);c:\program files\Google\Update\GoogleUpdate.exe [11/1/2008 8:15 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
2010-09-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 03:42]
2009-09-02 c:\windows\Tasks\Blue Devils - F-Tuning (Ditty Cadence).job
- c:\documents and settings\Daniel\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Naruto\11 Track 11 (rap).m4a [2007-10-07 06:11]
2010-06-16 c:\windows\Tasks\Cancel apartment insurance policy reminder.job
- c:\documents and settings\Daniel\My Documents\Cancel your apartment insurance.doc [2010-06-16 18:24]
2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 01:15]
2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005Core.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2010-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3311269471-1733383960-847243865-1005UA.job
- c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 18:59]
2009-01-03 c:\windows\Tasks\Journal reminder.job
- c:\documents and settings\Daniel\My Documents\Journal\reminder 2.txt [2007-08-24 02:00]
2010-09-18 c:\windows\Tasks\Microsoft Office Word 2003.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Word 2003.lnk [2006-07-22 02:03]
2010-09-16 c:\windows\Tasks\User_Feed_Synchronization-{1BF8318D-0EC3-416B-BC83-385052EB66C3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\me7gvhrl.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Daniel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 17:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3311269471-1733383960-847243865-1005\Software\SecuROM\License information*]
"datasecu"=hex:ec,d2,b5,c5,5b,e0,ba,21,79,a9,45,83,db,8a,91,83,3f,3d,41,48,f7,
01,26,3b,18,b4,d9,d4,20,e8,31,a7,d7,4d,ba,ab,dc,43,ce,bc,a6,9d,f5,eb,71,b7,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-19 17:37:30
ComboFix-quarantined-files.txt 2010-09-19 22:37
ComboFix2.txt 2010-09-18 00:33
ComboFix3.txt 2010-09-13 00:09
ComboFix4.txt 2010-09-12 14:51
Pre-Run: 91,402,461,184 bytes free
Post-Run: 91,382,018,048 bytes free
- - End Of File - - 8F6C0AC3647AB895C383006CA8FF89DF
Hi,
c:\documents and settings\All Users\Application Data\Viewpoint
My bad on this, its a folder and not a file , thats why CF did not remove it . I would like you to delete it manually.
How are things running now ?
theredfox
2010-09-20, 04:14
The computer is running real well, actually. When I do Google searches, I don't get redirected either. It's a nice change to actually get the website you're looking for when you click a link ;). Is there anything else I should do before we shut down this thread?
Nope, looks like your good to go, glad all is well again :)
TDSSKiller <--Drag it to the trash
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
theredfox
2010-09-21, 04:28
All right, sounds good. Thanks again Ken for your help! You're a life saver! Best wishes in all your future spyware fighting