View Full Version : PC infected
Hi, my PC appears to be infected with some sort of malware. Main symptom is a redirect when clicking on Google search results - although not always.
Would appreciate any help available!
DDS log below and attached
DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 21:35:58.09 on 15/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.905 [GMT 1:00]
AV: avast! antivirus 4.8.1368 [VPS 101015-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://managemyaccount.baa.com/vpns/scripts/vista/nsload.ocx
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = SbHpNp scecli ASWLNPkg legrfi.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: ccc-core-static - msiexec /fums {09258F12-48E7-B18E-C414-1F48C215685F} /qb
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\yz7gskh7.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {5C8F8568-A359-4461-BAE0-57C25F107AC7} - c:\documents and settings\administrator\local settings\application data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-2-7 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-30 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-25 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-2-7 5808]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-25 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-4-25 138680]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-3-30 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-27 540448]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-4-25 352920]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-9-19 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2010-4-5 73368]
R3 WUSBVBus;MFP Server Detector;c:\windows\system32\drivers\mfpvbus.sys [2009-4-14 9472]
S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\drivers\mfpec.sys [2009-4-14 53152]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
=============== Created Last 30 ================
2010-10-15 20:15:58 -------- d-----w- c:\program files\ESET
2010-10-15 19:52:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-15 19:52:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-15 07:38:31 -------- d-----w- c:\program files\Trend Micro
2010-10-15 07:08:46 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-15 07:08:46 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-15 07:08:09 -------- d-----w- c:\program files\CrystalDiskInfo
2010-10-15 07:08:08 -------- d-----w- c:\program files\Lexmark 8300 Series
2010-10-15 07:07:36 -------- d-----w- c:\program files\Belkin
2010-10-15 07:07:31 -------- d-----w- c:\program files\TweetDeck
2010-10-14 22:07:45 -------- d-----w- c:\program files\STOPzilla!
2010-10-14 22:07:44 -------- d-----w- c:\program files\common files\iS3
2010-10-14 22:07:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-10-11 20:56:11 -------- d-----w- c:\program files\TweetDeck(2)
2010-10-09 18:23:54 -------- d-----w- c:\docume~1\admini~1\applic~1\Process Hacker 2
==================== Find3M ====================
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-25 21:14:18 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2)(2).dll
============= FINISH: 21:37:53.92 ===============
Hello mattl and :welcome:
My name is JonTom.
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
Thank you for the log.
Before we begin I would like to see the results of an ARK scan.
Please work your way through the steps below. If you encounter any difficulties come back and let me know.
Please scan your system with GMER
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
Please post the GMER log in your next reply.
Hi JonTom,
Thanks for your reply and sorry for the delay in coming back to you.
I have attached the gmer log file.
The 'Show All' checkbox was unticked, so I left it that way - not sure if I read your post correctly or not re. that one.
Please let me know if you need any more information!
Regards,
Matt
Hello mattl
Thank you for the log.
sorry for the delay in coming back to you No problem :)
You ran GMER just fine. Please do the following:
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Hi JonTom,
I can't get ComboFix to run. I've downloaded it, double-clicked, slected 'Run' when Windows asks if I'm sure - but then, nothing. I had the same problem when I tried to run Microsoft's 'Malicious software removal tool', so I suspect this is a symptom of the issue with my machine. I'm also struggling, intermittently, to get a connection to the internet on the infected PC.
What should I do next?
Matt
Have managed to get ComboFix to run by renaming it - will post output shortly!
JonTom,
Contents of the ComboFix log are below. I could not install the recovery console as I couldn't get an internet connection on the affected PC at that point.
Matt
ComboFix 10-10-18.06 - Administrator 19/10/2010 21:37:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1439 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\cf1.exe
AV: avast! antivirus 4.8.1368 [VPS 101019-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\avdrn.dat
c:\windows\system32\Config.ini
E:\Autorun.inf
c:\windows\system32\drivers\SafeBoot.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.
2010-10-17 21:13 . 2010-10-17 21:13 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 21:12 . 2010-10-17 21:12 -------- d-----w- c:\program files\Belkin
2010-10-17 21:12 . 2010-10-17 21:12 -------- d-----w- c:\program files\TweetDeck
2010-10-15 20:24 . 2010-10-17 20:58 -------- d-----w- c:\program files\ERUNT
2010-10-15 20:15 . 2010-10-15 20:15 -------- d-----w- c:\program files\ESET
2010-10-15 19:52 . 2010-10-17 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-15 19:52 . 2010-10-17 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-15 07:38 . 2010-10-15 07:38 -------- d-----w- c:\program files\Trend Micro
2010-10-14 22:07 . 2010-10-17 21:09 -------- d-----w- c:\program files\STOPzilla!
2010-10-14 22:07 . 2010-10-14 22:07 -------- d-----w- c:\program files\Common Files\iS3
2010-10-14 22:07 . 2010-10-15 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-09 18:23 . 2010-10-09 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Process Hacker 2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Server Application for MFP Server"="c:\program files\Belkin\All-in-One Print Server\ServoApp.exe" [2006-08-03 290816]
"MFP Server Agent"="c:\program files\Belkin\All-in-One Print Server\MFPAgent.exe" [2006-08-31 716800]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 02:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 17:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
2003-12-22 17:12 17920 ----a-r- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 09:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-12-20 23:51 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-10 00:38 806912 ----a-w- c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-12 19:27 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-24 00:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-21 11:33 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 10:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [07/02/2007 19:22 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09/10/2006 21:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30/03/2007 00:54 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25/04/2008 13:54 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [07/02/2007 19:23 5808]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/04/2008 13:54 20560]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [30/03/2007 01:50 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [27/07/2007 08:22 540448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19/09/2006 17:58 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [05/04/2010 21:45 73368]
S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\Drivers\mfpec.sys --> c:\windows\system32\Drivers\mfpec.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 00:27 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 WUSBVBus;MFP Server Detector;c:\windows\system32\DRIVERS\mfpvbus.sys --> c:\windows\system32\DRIVERS\mfpvbus.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:27]
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:27]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-568524876-1860272409-665803311-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 21:52]
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-568524876-1860272409-665803311-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 21:52]
2010-10-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-568524876-1860272409-665803311-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-568524876-1860272409-665803311-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
2010-10-19 c:\windows\Tasks\User_Feed_Synchronization-{6C28FC1D-A6EF-4EEC-89F1-A04C4DF0CB40}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://managemyaccount.baa.com/vpns/scripts/vista/nsload.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yz7gskh7.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {5C8F8568-A359-4461-BAE0-57C25F107AC7} - c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-EzPrint - c:\program files\Lexmark 6300 Series\ezprint.exe
MSConfigStartUp-lxcdmon - c:\program files\Lexmark 6300 Series\lxcdmon.exe
MSConfigStartUp-RegClean Expert Scheduler - c:\program files\Registry Clean Expert\RCHelper.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-Yrucumene - c:\windows\usifatufoqiwuhu.dll
ActiveSetup-ccc-core-static - msiexec
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A38BEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74fbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d2852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetLink (TM) Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf71cbbb0
PacketIndicateHandler -> NDIS.sys @ 0xf71baa0d
SendHandler -> NDIS.sys @ 0xf71ceb40
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-568524876-1860272409-665803311-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fe,9c,a4,32,e7,0a,0b,4a,b3,6a,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fe,9c,a4,32,e7,0a,0b,4a,b3,6a,02,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\windows\system32\RASAPI32.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'lsass.exe'(1052)
c:\windows\SbHpNp.dll
- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\windows\System32\SCardSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
.
**************************************************************************
.
Completion time: 2010-10-19 22:08:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-19 21:08
Pre-Run: 93,651,267,584 bytes free
Post-Run: 93,759,045,632 bytes free
- - End Of File - - 1E1BAF948EDC6CCF6FC2B41FD3159F09
Hello mattl
Good job with the rename :bigthumb:
I could not install the recovery console as I couldn't get an internet connection on the affected PC at that point Thanks for letting me know. It is very important that we have the Recovery Console installed on your machine. Lets try to take care of that now before we go any further:
Please download and Install the Windows Recovery Console
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before removing any malware.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.
http://i266.photobucket.com/albums/ii277/sUBs_/KB310994.gif
Download the file and save it as it's originally named.
Transfer all of the downloaded files to the desktop of the infected computer.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Refering to the image below, drag the setup package onto the (renamed) ComboFix.exe icon and drop it.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
http://img.photobucket.com/albums/v706/ried7/whatnext.png
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
Thanks JonTom.
I have followed your instructions above and the result is as follows:
ComboFix 10-10-18.06 - Administrator 19/10/2010 23:43:30.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1430 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\cf1.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1368 [VPS 101019-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SafeBoot.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.
2010-10-17 21:13 . 2010-10-17 21:13 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 21:12 . 2010-10-17 21:12 -------- d-----w- c:\program files\Belkin
2010-10-17 21:12 . 2010-10-17 21:12 -------- d-----w- c:\program files\TweetDeck
2010-10-15 20:24 . 2010-10-17 20:58 -------- d-----w- c:\program files\ERUNT
2010-10-15 20:15 . 2010-10-15 20:15 -------- d-----w- c:\program files\ESET
2010-10-15 19:52 . 2010-10-17 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-15 19:52 . 2010-10-17 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-15 07:38 . 2010-10-15 07:38 -------- d-----w- c:\program files\Trend Micro
2010-10-14 22:07 . 2010-10-17 21:09 -------- d-----w- c:\program files\STOPzilla!
2010-10-14 22:07 . 2010-10-14 22:07 -------- d-----w- c:\program files\Common Files\iS3
2010-10-14 22:07 . 2010-10-15 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-09 18:23 . 2010-10-09 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Process Hacker 2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Server Application for MFP Server"="c:\program files\Belkin\All-in-One Print Server\ServoApp.exe" [2006-08-03 290816]
"MFP Server Agent"="c:\program files\Belkin\All-in-One Print Server\MFPAgent.exe" [2006-08-31 716800]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 02:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 17:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
2003-12-22 17:12 17920 ----a-r- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 09:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-12-20 23:51 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-10 00:38 806912 ----a-w- c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-12 19:27 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-24 00:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-21 11:33 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 10:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [07/02/2007 19:22 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09/10/2006 21:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30/03/2007 00:54 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25/04/2008 13:54 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [07/02/2007 19:23 5808]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/04/2008 13:54 20560]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [30/03/2007 01:50 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [27/07/2007 08:22 540448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19/09/2006 17:58 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [05/04/2010 21:45 73368]
S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\Drivers\mfpec.sys --> c:\windows\system32\Drivers\mfpec.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 00:27 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 WUSBVBus;MFP Server Detector;c:\windows\system32\DRIVERS\mfpvbus.sys --> c:\windows\system32\DRIVERS\mfpvbus.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:27]
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:27]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-568524876-1860272409-665803311-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 21:52]
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-568524876-1860272409-665803311-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 21:52]
2010-10-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-568524876-1860272409-665803311-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-568524876-1860272409-665803311-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
2010-10-19 c:\windows\Tasks\User_Feed_Synchronization-{6C28FC1D-A6EF-4EEC-89F1-A04C4DF0CB40}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://managemyaccount.baa.com/vpns/scripts/vista/nsload.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yz7gskh7.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {5C8F8568-A359-4461-BAE0-57C25F107AC7} - c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}
.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A39EEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74fbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d2852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-568524876-1860272409-665803311-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fe,9c,a4,32,e7,0a,0b,4a,b3,6a,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fe,9c,a4,32,e7,0a,0b,4a,b3,6a,02,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1496)
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
- - - - - - - > 'lsass.exe'(1552)
c:\windows\SbHpNp.dll
.
Completion time: 2010-10-20 00:04:04
ComboFix-quarantined-files.txt 2010-10-19 23:04
ComboFix2.txt 2010-10-19 21:08
Pre-Run: 93,730,025,472 bytes free
Post-Run: 93,716,180,992 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - 8E2D8508C5B2C6C070962830B75B9C7D
Hello mattl
Good job on installing the recovery Console :)
You have two issues that need a little more investigation here.
First, ComboFix reports that you have an infected file on your system, and that it is unable to find a suitable replacement. We will have to search for a replacement manually. Do you have your XP installation disk?
Second, GMER reported the presence of a rootkit infection on your system. I have a suspicion that this may not have been addressed in the steps we have taken so far so I would like you to run GMER again (I know the scan takes a long time but I would not ask you to do this if it was not important).
Please work your way through the steps below:
GMER
Please scan you system with GMER again (exactly the same way you did before).
MBRCheck
Please download MBRCheck by clicking here (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) and save it to your desktop.
Be sure to disable your security programs.
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
A window will open on your desktop.
If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter.
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file in your next reply.
Please scan the following files
Please go to VirusTotal (http://www.virustotal.com/)
On the page you'll find a "Browse" button.
Click on the Browse button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
c:\windows\system32\drivers\SafeBoot.sys
Next, click the Open button.
Then click the "Send File" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now.
Once scanned, copy and paste the link to the results page in your next reply.
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook.exe) or here (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe) and save the file (called SystemLook.exe) to your desktop.
Double click SystemLook.exe to run the program.
Copy the content of the following codebox into the main textfield:
:filefind
WudfPf.sy*
SafeBoot.sy*
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Let me know of you have your XP installation disk, and please post the GMER log, VirusTotal link, MBRCheck and Systemlook log in your next reply.
Hi JonTom,
I have attached the logs from GMER, MBRCheck and SystemLook.
When I try tro scan the file on Virus Total, it starts to process it and then just goes back to the 'upload a file' box on the homepage without displaying any results - any suggestions for what I might need to do differently?
Matt
Hello mattl
Thank you for the logs.
Please let me know if you have your XP installation disk? <===== (We may need it later on).
Any suggestions for what I might need to do differently? You are not doing anything wrong. Lets leave that file for now and work our way through the following steps:
TDSS Killer
Please read carefully and follow these steps.
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious-1.png
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Rootkit Unhooker
Please Download Rootkit Unhooker (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) and Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in your next reply here.
Note: You may get the following warning, just click OK and continue.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
Please post the TDSSKiller log and the Rootkit unhooker log in your next reply.
Hi JonTom,
Have followed your latest instructions. Logs below.
Matt
-----
2010/10/21 20:46:14.0312 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/21 20:46:14.0312 ================================================================================
2010/10/21 20:46:14.0312 SystemInfo:
2010/10/21 20:46:14.0312
2010/10/21 20:46:14.0312 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/21 20:46:14.0312 Product type: Workstation
2010/10/21 20:46:14.0312 ComputerName: ML-HPLAPTOP
2010/10/21 20:46:14.0312 UserName: Administrator
2010/10/21 20:46:14.0312 Windows directory: C:\WINDOWS
2010/10/21 20:46:14.0312 System windows directory: C:\WINDOWS
2010/10/21 20:46:14.0312 Processor architecture: Intel x86
2010/10/21 20:46:14.0312 Number of processors: 2
2010/10/21 20:46:14.0312 Page size: 0x1000
2010/10/21 20:46:14.0312 Boot type: Normal boot
2010/10/21 20:46:14.0312 ================================================================================
2010/10/21 20:46:14.0625 Initialize success
2010/10/21 20:46:22.0234 ================================================================================
2010/10/21 20:46:22.0234 Scan started
2010/10/21 20:46:22.0234 Mode: Manual;
2010/10/21 20:46:22.0234 ================================================================================
2010/10/21 20:46:22.0859 Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/10/21 20:46:23.0031 Accelerometer (558a0039f0ef634397e1f61055504478) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2010/10/21 20:46:23.0093 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/21 20:46:23.0125 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/21 20:46:23.0281 ADIHdAudAddService (be4beb3fde3edfad4ef2760722717b0f) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/10/21 20:46:23.0375 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/10/21 20:46:23.0437 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/21 20:46:23.0531 AgereSoftModem (90456051c422e09bc36e6340dd891f0c) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/10/21 20:46:23.0828 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/21 20:46:23.0906 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/10/21 20:46:23.0984 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/21 20:46:24.0265 aswFsBlk (b4079a98f294a3e262872cb76f4849f0) C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
2010/10/21 20:46:24.0281 aswMon2 (dbee7b5ecb50fc2cf9323f52cbf41141) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/10/21 20:46:24.0296 aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/10/21 20:46:24.0328 aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINDOWS\system32\drivers\aswSP.sys
2010/10/21 20:46:24.0343 aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/10/21 20:46:24.0531 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/21 20:46:24.0578 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/21 20:46:24.0734 ati2mtag (a1789368b4a31d2111af7aeda0c8d3fc) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/21 20:46:24.0937 ATSWPDRV (293e8cc3c246a89f4cca75b024ad757f) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
2010/10/21 20:46:25.0015 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/21 20:46:25.0125 b57w2k (74a65415dfaad20f06e7550fa9b6e012) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/10/21 20:46:25.0171 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/10/21 20:46:25.0343 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/21 20:46:25.0421 btaudio (3aa4bf555c00c5b87fd48dd7bdbd4e97) C:\WINDOWS\system32\drivers\btaudio.sys
2010/10/21 20:46:25.0468 BTDriver (07f0a66cfa550b13ad0674ae09e3cba0) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/10/21 20:46:25.0562 BTKRNL (ba57f31eab93dc597d772f6f5b9ed54f) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/10/21 20:46:25.0765 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/10/21 20:46:25.0812 btwmodem (e206ec370646e42dc862fd995869d31d) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2010/10/21 20:46:25.0890 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/10/21 20:46:26.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/21 20:46:26.0218 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/21 20:46:26.0250 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/21 20:46:26.0296 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/21 20:46:26.0343 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/21 20:46:26.0453 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/21 20:46:26.0515 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/21 20:46:26.0718 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/21 20:46:26.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/21 20:46:26.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/21 20:46:26.0906 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/21 20:46:27.0093 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/21 20:46:27.0125 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/21 20:46:27.0171 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/21 20:46:27.0250 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/21 20:46:27.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/21 20:46:27.0468 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2010/10/21 20:46:27.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/21 20:46:27.0640 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/10/21 20:46:27.0828 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/21 20:46:27.0906 hpdskflt (5953c0952e4dd2b25b9adef05ab0285c) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2010/10/21 20:46:28.0046 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
2010/10/21 20:46:28.0234 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/21 20:46:28.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/21 20:46:28.0515 IFXTPM (f67554da27d5b55efcb6c7cb4818fbfd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2010/10/21 20:46:28.0546 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/21 20:46:28.0609 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/21 20:46:28.0671 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/21 20:46:28.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/21 20:46:28.0875 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/21 20:46:28.0937 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/21 20:46:28.0984 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/21 20:46:29.0031 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/21 20:46:29.0109 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/21 20:46:29.0312 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/21 20:46:29.0359 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/21 20:46:29.0406 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/21 20:46:29.0437 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/21 20:46:29.0500 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
2010/10/21 20:46:29.0625 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/21 20:46:29.0718 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/21 20:46:29.0781 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/21 20:46:29.0843 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/21 20:46:29.0859 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/21 20:46:29.0906 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/21 20:46:30.0000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/21 20:46:30.0078 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/21 20:46:30.0109 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/21 20:46:30.0156 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/21 20:46:30.0234 Net6IM (4f6c729b7ee69bbd4ad0c8dd02edee6b) C:\WINDOWS\system32\DRIVERS\net6im51.sys
2010/10/21 20:46:30.0328 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/21 20:46:30.0421 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/21 20:46:30.0484 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/21 20:46:30.0531 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/21 20:46:30.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/21 20:46:30.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/21 20:46:30.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/21 20:46:30.0859 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/21 20:46:30.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/21 20:46:30.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/21 20:46:30.0984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/21 20:46:31.0140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/21 20:46:31.0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/21 20:46:31.0296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/21 20:46:31.0328 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/21 20:46:31.0390 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/21 20:46:31.0453 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/21 20:46:31.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/21 20:46:31.0750 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/21 20:46:31.0796 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/21 20:46:31.0859 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/21 20:46:31.0890 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/21 20:46:32.0031 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/21 20:46:32.0093 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/21 20:46:32.0140 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/21 20:46:32.0203 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
2010/10/21 20:46:32.0281 RsvLock (874ed329b959e7ca77168fd0f1b837e2) C:\WINDOWS\system32\drivers\RsvLock.sys
2010/10/21 20:46:32.0453 SafeBoot (bf2d1bc0649aedbe8caa47d2f89e8d47) C:\WINDOWS\system32\drivers\SafeBoot.sys
2010/10/21 20:46:32.0453 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\SafeBoot.sys. md5: bf2d1bc0649aedbe8caa47d2f89e8d47
2010/10/21 20:46:32.0453 SafeBoot - detected Locked file (1)
2010/10/21 20:46:32.0484 SbAlg (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\WINDOWS\system32\drivers\SbAlg.sys
2010/10/21 20:46:32.0515 SbFsLock (df4a90b29b878e8cd95a1ac8f94ca954) C:\WINDOWS\system32\drivers\SbFsLock.sys
2010/10/21 20:46:32.0640 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2010/10/21 20:46:32.0687 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2010/10/21 20:46:32.0750 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/21 20:46:32.0937 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/21 20:46:33.0000 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/21 20:46:33.0062 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/21 20:46:33.0109 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/21 20:46:33.0453 SynTP (5876072999220ef2fba1ddec86d2b97e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/10/21 20:46:33.0609 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/21 20:46:33.0687 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/21 20:46:33.0796 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/21 20:46:33.0937 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/21 20:46:33.0984 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/21 20:46:34.0125 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/21 20:46:34.0203 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/21 20:46:34.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/21 20:46:34.0546 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/21 20:46:34.0609 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/21 20:46:34.0718 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/21 20:46:34.0828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/21 20:46:34.0921 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/21 20:46:34.0984 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2010/10/21 20:46:35.0093 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/21 20:46:35.0171 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/21 20:46:35.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/21 20:46:35.0328 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/21 20:46:35.0359 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/21 20:46:35.0437 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/21 20:46:35.0578 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/10/21 20:46:35.0703 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/21 20:46:35.0781 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/21 20:46:35.0937 WudfPf (da83a8f383bf60ec3996d12c6fa7dbf1) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/21 20:46:35.0937 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\WudfPf.sys. Real md5: da83a8f383bf60ec3996d12c6fa7dbf1, Fake md5: 6ff66513d372d479ef1810223c8d20ce
2010/10/21 20:46:35.0937 WudfPf - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/21 20:46:35.0984 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/21 20:46:36.0312 ================================================================================
2010/10/21 20:46:36.0312 Scan finished
2010/10/21 20:46:36.0312 ================================================================================
2010/10/21 20:46:36.0343 Detected object count: 2
2010/10/21 20:47:13.0281 Locked file(SafeBoot) - User select action: Skip
2010/10/21 20:47:13.0468 WudfPf (da83a8f383bf60ec3996d12c6fa7dbf1) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/21 20:47:13.0468 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\WudfPf.sys. Real md5: da83a8f383bf60ec3996d12c6fa7dbf1, Fake md5: 6ff66513d372d479ef1810223c8d20ce
2010/10/21 20:47:14.0906 Backup copy found, using it..
2010/10/21 20:47:14.0921 C:\WINDOWS\system32\DRIVERS\WudfPf.sys - will be cured after reboot
2010/10/21 20:47:14.0921 Rootkit.Win32.TDSS.tdl3(WudfPf) - User select action: Cure
2010/10/21 20:47:28.0187 Deinitialize success
-----
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0F7000 C:\WINDOWS\System32\ati3duag.dll 2830336 bytes (ATI Technologies Inc. , ati3duag.dll)
0xF5E23000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2179072 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF3AA000 C:\WINDOWS\System32\ativvaxx.dll 1273856 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xB99B6000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1163264 bytes (Agere Systems, SoftModem Device Driver)
0xF5B4F000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 851968 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xF5D50000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 606208 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xF71D1000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF54F8000 C:\WINDOWS\system32\drivers\btaudio.sys 524288 bytes (Broadcom Corporation., Bluetooth Audio Device)
0xF5C51000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0xB91A2000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF5A88000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB92E9000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAF15E000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF056000 C:\WINDOWS\System32\ati2cqag.dll 348160 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF0AB000 C:\WINDOWS\System32\atikvmag.dll 311296 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB9AE9000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 307200 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 278528 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xAE529000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAF0C5000 C:\WINDOWS\system32\drivers\RMCast.sys 204800 bytes (Microsoft Corporation, Reliable Multicast Transport)
0xF5C1F000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 204800 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF5AE6000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7346000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xAF2F6000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71A4000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF5DE4000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 176128 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB923A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF5CE1000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB929B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF72D2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB92C3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF54D4000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF5D2C000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF5D09000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB9279000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB909B000 C:\WINDOWS\System32\Drivers\aswSP.SYS 135168 bytes (ALWIL Software, avast! self protection module)
0xB913D000 C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys 135168 bytes (AuthenTec, Inc., (TEST) Slide Fingerprint USB Driver)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF729A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF72F8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB911F000 C:\WINDOWS\system32\DRIVERS\btwdndis.sys 122880 bytes (Broadcom Corporation., Bluetooth LAN Access Server Driver)
0xF7317000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF7172000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF72BA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB1DC1000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF718C000 SafeBoot.sys 98304 bytes
0xB9AD2000 C:\WINDOWS\system32\drivers\AEAudio.sys 94208 bytes (Andrea Electronics Corporation, Audio Noise Filtering Driver (32-bit))
0xF7271000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xAF11F000 C:\WINDOWS\system32\drivers\mqac.sys 94208 bytes (Microsoft Corporation, Windows NT MQ Access Control Device Driver)
0xF5B38000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAF43B000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 90112 bytes (ALWIL Software, avast! File System Filter Driver for Windows XP)
0xAED68000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5CCD000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF5E0F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB9342000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF725E000 tsk4.tmp 77824 bytes
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7374000 klmdb.sys 73728 bytes
0xF7288000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF5B16000 C:\WINDOWS\system32\DRIVERS\net6im51.sys 69632 bytes (Citrix Systems, Inc., Citrix Secure Access Driver)
0xF7335000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5B27000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB94B8000 C:\WINDOWS\System32\Drivers\btwusb.sys 65536 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xB298F000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7597000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF75E7000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7497000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xEB26B000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7627000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF75A7000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB94C8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xEBDB0000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74A7000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7567000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF75C7000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF60C7000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74C7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF75D7000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF60A7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xEB24B000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74B7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF60B7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF74D7000 SbAlg.sys 45056 bytes (SafeBoot N.V., SafeBoot FIPS AES Algorithm (256 bit))
0xF75F7000 C:\WINDOWS\system32\DRIVERS\Accelerometer.sys 40960 bytes (Hewlett-Packard Corporation, HP Accelerometer)
0xEB28B000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (ALWIL Software, avast! TDI Filter Driver)
0xF7487000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7637000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF6087000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74E7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7607000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7517000 hpdskflt.sys 36864 bytes (Hewlett-Packard Corporation, HP Disk Filter)
0xF75B7000 C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS 36864 bytes (Infineon Technologies AG, Infineon Trusted Platform Module)
0xF6097000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xEB25B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAE88D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7507000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xEB27B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB1DF1000 C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys 32768 bytes (ALWIL Software, avast! File System Access Blocking Driver)
0xEBD68000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xEBD38000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7877000 C:\WINDOWS\system32\DRIVERS\btport.sys 28672 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xEBD30000 C:\WINDOWS\system32\DRIVERS\btwmodem.sys 28672 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xF7817000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7807000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF780F000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xEBD60000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xEBD28000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 20480 bytes (ALWIL Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0xEBD40000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7827000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF782F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF781F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xB3007000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xAEAED000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 16384 bytes (ALWIL Software, avast! TDI RDR Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF6D7D000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7953000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7937000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF54C4000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF6D81000 C:\WINDOWS\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
0xB351D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF6D75000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xEBB48000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF6D79000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7A29000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7991000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A03000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A27000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A35000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A37000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A39000 C:\WINDOWS\System32\Drivers\RsvLock.SYS 8192 bytes (SafeBoot International, SafeBoot Reserved Files Lock Driver)
0xF7993000 SbFsLock.sys 8192 bytes (SafeBoot International, SafeBoot FS Locker)
0xF7995000 speedfan.sys 8192 bytes
0xF79CF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79CD000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7AB1000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7B35000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A51000 giveio.sys 4096 bytes
0xF7BB5000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x038C0000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 102400 bytes
0x065B0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 102400 bytes
0x03470000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 102400 bytes
0x036C0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 102400 bytes
0x00D30000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 110592 bytes
0x01150000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 110592 bytes
0x06860000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 110592 bytes
0x06980000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 110592 bytes
0x01150000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 110592 bytes
0x040A0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 110592 bytes
0x06070000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 126976 bytes
0x05B70000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 1413120 bytes
0x05F70000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 143360 bytes
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\SafeBoot.sys]
0x06680000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 1683456 bytes
0x036F0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 1683456 bytes
0x06820000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 176128 bytes
0x06950000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 192512 bytes
0x04060000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 192512 bytes
0x06010000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 217088 bytes
0x041C0000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 233472 bytes
0x00EE0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 28672 bytes
0x01120000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 28672 bytes
0x05CE0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x04A00000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x03FA0000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x00D60000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x00D80000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x038E0000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x03D40000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x03D80000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x03FB0000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x04240000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x04230000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x049C0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x049D0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x04D00000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x05D00000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x05CF0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x05F60000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x063E0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x06400000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 28672 bytes
0x038B0000 Hidden Image-->atixclib.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x035B0000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x03440000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x00D60000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x00D80000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x03430000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x03450000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x035E0000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 28672 bytes
0x01130000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x88DB4B30 ] PID: 3168, 307200 bytes
0x00DC0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x88DB0020 ] PID: 2220, 307200 bytes
0x00DC0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x88D3EB30 ] PID: 2128, 307200 bytes
0x03FC0000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x88DB0020 ] PID: 2220, 315392 bytes
0x06900000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 315392 bytes
0x03FF0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 315392 bytes
0x06420000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 356352 bytes
0x04980000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 36864 bytes
0x03920000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x01270000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x03900000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04220000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04A20000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04A30000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04A50000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04BE0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04C40000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04CA0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04CF0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04DB0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04DC0000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x06410000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 36864 bytes
0x04040000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x03620000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x01170000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x03460000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x03600000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x04050000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x041B0000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x04E40000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 36864 bytes
0x04030000 Hidden Image-->System.Management.dll [ EPROCESS 0x88DB0020 ] PID: 2220, 380928 bytes
0x06110000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 413696 bytes
0x06880000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 413696 bytes
0x03F60000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 413696 bytes
0x05FA0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 446464 bytes
0x00D60000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 45056 bytes
0x01190000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 45056 bytes
0x04970000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 45056 bytes
0x00D50000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x00D30000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x00E20000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x01290000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x038F0000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x03910000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x03D60000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x04BB0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x04BD0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x04C20000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x04C80000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x04D70000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 45056 bytes
0x00D50000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x00D30000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x00E20000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x03490000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x034A0000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x03FE0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x04E30000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 45056 bytes
0x033B0000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 479232 bytes
0x06090000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 487424 bytes
0x064A0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 495616 bytes
0x03640000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 495616 bytes
0x04D40000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x03F90000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x04A10000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x04C50000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x04CE0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x04D60000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x05CD0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x063F0000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 53248 bytes
0x01290000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 53248 bytes
0x035D0000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 53248 bytes
0x03890000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 53248 bytes
0x03F40000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 53248 bytes
0x041A0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 53248 bytes
0x06520000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 585728 bytes
0x00D70000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x04210000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x04250000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x04BC0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x04C70000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x04CD0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x04DA0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 61440 bytes
0x00D70000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 61440 bytes
0x035F0000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 61440 bytes
0x04090000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 61440 bytes
0x06240000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 659456 bytes
0x065D0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 675840 bytes
0x01100000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x88DB4B30 ] PID: 3168, 69632 bytes
0x00D90000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 69632 bytes
0x049E0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 69632 bytes
0x04B90000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 69632 bytes
0x04D10000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 69632 bytes
0x00D90000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 69632 bytes
0x040C0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 69632 bytes
0x069A0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 700416 bytes
0x040F0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.DLL [ EPROCESS 0x88D3EB30 ] PID: 2128, 700416 bytes
0x04B70000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 86016 bytes
0x05E30000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 86016 bytes
0x062F0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x88DB0020 ] PID: 2220, 921600 bytes
Hello mattl
Thank you for the logs.
I can see that you have HP ProtectTools Security Manager installed. <==== Please let me know if you use this/or if you have ever tried to uninstall it (Important)
Please run ComboFix again and post the log created and let me know how your machine is running now.
Hi JonTom,
I think that HP ProtectTools Security Manager was packaged on the PC when I bought it. I do not use it, and as far as I know, I have never tried to uninstall it.
Also, to answer an earlier question that I missed - no, I don't think I have a Windows disk for this machine.
The PC seems to be running better now - it is starting up 'normally' each time and I can get a network connection consistently.
Am just running ComboFix again, so will post log shortly.
Matt
Latest ComboFix log:
ComboFix 10-10-20.04 - Administrator 21/10/2010 23:23:42.3.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\cf1.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}
c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{5C8F8568-A359-4461-BAE0-57C25F107AC7}\install.rdf
.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.
2010-10-19 22:23 . 2010-10-19 23:04 -------- d-----w- C:\cf1
2010-10-17 21:13 . 2010-10-17 21:13 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 21:12 . 2010-10-17 21:12 -------- d-----w- c:\program files\Belkin
2010-10-17 21:12 . 2010-10-17 21:12 -------- d-----w- c:\program files\TweetDeck
2010-10-15 20:24 . 2010-10-17 20:58 -------- d-----w- c:\program files\ERUNT
2010-10-15 20:15 . 2010-10-15 20:15 -------- d-----w- c:\program files\ESET
2010-10-15 19:52 . 2010-10-17 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-15 19:52 . 2010-10-17 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-15 07:38 . 2010-10-15 07:38 -------- d-----w- c:\program files\Trend Micro
2010-10-14 22:07 . 2010-10-17 21:09 -------- d-----w- c:\program files\STOPzilla!
2010-10-14 22:07 . 2010-10-14 22:07 -------- d-----w- c:\program files\Common Files\iS3
2010-10-14 22:07 . 2010-10-15 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-09 18:23 . 2010-10-09 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Process Hacker 2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-19_22.59.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-21 20:04 . 2010-10-21 20:04 16384 c:\windows\Temp\Perflib_Perfdata_434.dat
+ 2010-10-21 20:04 . 2010-10-21 20:04 16384 c:\windows\Temp\Perflib_Perfdata_39c.dat
+ 2010-10-21 20:04 . 2010-10-21 20:04 16384 c:\windows\Temp\Perflib_Perfdata_334.dat
+ 2004-08-07 13:14 . 2010-10-21 20:08 81116 c:\windows\system32\perfc009.dat
+ 2006-09-29 01:55 . 2010-10-21 19:49 77696 c:\windows\system32\drivers\WudfPf.sys
- 2006-09-29 01:55 . 2008-01-18 22:52 77696 c:\windows\system32\drivers\WudfPf.sys
+ 2004-08-07 13:14 . 2010-10-21 20:08 469138 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-24 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Server Application for MFP Server"="c:\program files\Belkin\All-in-One Print Server\ServoApp.exe" [2006-08-03 290816]
"MFP Server Agent"="c:\program files\Belkin\All-in-One Print Server\MFPAgent.exe" [2006-08-31 716800]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 02:08 483328 ----a-w- c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 17:58 856064 ----a-w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
2003-12-22 17:12 17920 ----a-r- c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 09:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 16:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-04-19 20:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2008-04-14 00:11 177152 ----a-w- c:\windows\system32\mqrt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-12-20 23:51 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-10 00:38 806912 ----a-w- c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-12 19:27 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-24 00:05 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-21 11:33 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 10:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [07/02/2007 19:22 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [09/10/2006 21:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [30/03/2007 00:54 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25/04/2008 13:54 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [07/02/2007 19:23 5808]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25/04/2008 13:54 20560]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [30/03/2007 01:50 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [27/07/2007 08:22 540448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19/09/2006 17:58 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [05/04/2010 21:45 73368]
S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\Drivers\mfpec.sys --> c:\windows\system32\Drivers\mfpec.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 00:27 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 WUSBVBus;MFP Server Detector;c:\windows\system32\DRIVERS\mfpvbus.sys --> c:\windows\system32\DRIVERS\mfpvbus.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:27]
2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:27]
2010-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-568524876-1860272409-665803311-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 21:52]
2010-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-568524876-1860272409-665803311-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-18 21:52]
2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-568524876-1860272409-665803311-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
2010-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-568524876-1860272409-665803311-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]
2010-10-21 c:\windows\Tasks\User_Feed_Synchronization-{6C28FC1D-A6EF-4EEC-89F1-A04C4DF0CB40}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://managemyaccount.baa.com/vpns/scripts/vista/nsload.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yz7gskh7.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-568524876-1860272409-665803311-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fe,9c,a4,32,e7,0a,0b,4a,b3,6a,02,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fe,9c,a4,32,e7,0a,0b,4a,b3,6a,02,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1488)
c:\windows\system32\APSHook.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\SbHpNp.DLL
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
- - - - - - - > 'lsass.exe'(1544)
c:\windows\system32\APSHook.dll
c:\windows\SbHpNp.dll
.
Completion time: 2010-10-21 23:35:03
ComboFix-quarantined-files.txt 2010-10-21 22:35
ComboFix2.txt 2010-10-19 23:04
ComboFix3.txt 2010-10-19 21:08
Pre-Run: 94,412,210,176 bytes free
Post-Run: 94,399,111,168 bytes free
- - End Of File - - C6CD4C5902AA4DB6B76EB9D71DF2D115
Hello mattl
Thank you for the log.
I think that HP ProtectTools Security Manager was packaged on the PC when I bought it. I do not use it, and as far as I know, I have never tried to uninstall it.
Also, to answer an earlier question that I missed - no, I don't think I have a Windows disk for this machine. Thanks for letting me know. Things are looking much better now so we may not need it.
It appears as though you had Stopzilla installed on your system at one time. Stopzilla is a program with questionable credentials.
Please search for the following folders
Right-click your "Start" button and select "Explore".
Navigate to and delete the following folders in bold.
c:\program files\STOPzilla! <==== Delete this folder.
c:\documents and settings\All Users\Application Data\STOPzilla! <==== Delete this folder.
I can see evidence of Symantec (Norton) products on your machine. As you are presently using AVAST, lets take care of the Norton remnants:
Please download and run the Norton Removal Tool
The Norton removal tool will locate and remove all traces of Norton products from your computer.
To download the tool, click here. (http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN)
Read throught the information on the page, and then select the Norton product that you have (this is the one that will be removed).
Follow the instructions to obtain the removal tool and to complete the removal process.
Clean out your temporary files
Please download ATF Cleaner by Atribune by clicking here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save the file (called ATF-Cleaner.exe) to your desktop.
Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
Check the boxes to the left of the following:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional. If you want to remove everything check the "Select All" box.
Click on "Empty Selected" to begin cleaning.
Once the "Done Cleaning" message appears, click OK.
If you use Firefox, Click on the Firefox tab and repeat the above process.
When you have finished cleaning, click on the "Exit" button in the main menu.
Please perform the following scan:
Please download MalwareBytes AntiMalware by clicking here (http://www.besttechie.net/tools/mbam-setup.exe) and save the file (called mbam-setup.exe) to your desktop.
Double click on the mbam-setup.exe icon to install the program.
Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please post the MBAM log in your next reply :)
Hi JonTom,
MBAM log below. All looking good!
Matt
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4917
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
22/10/2010 20:40:44
mbam-log-2010-10-22 (20-40-44).txt
Scan type: Quick scan
Objects scanned: 141460
Time elapsed: 8 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hello mattl
Thank you for the log.
Lets get your Java updated and run an Online Scan to check for anything that may have been missed:
Please update your Java
Click on "Start", then on "Control Panel".
Go to "Add or Remove Programs" and uninstall any previous versions of Java that you find.
Reboot your computer.
Next, download the latest version of Java by clicking here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a button marked "Download JRE".
Click the "Download JRE" button.
Select the platform (Windows, in your case), multi language.
Accept the license agreement and click on "Continue".
You do not have to register if you do not want to (the registration step is optional).
Scroll down and click on the file called jre-6u22-windows-i586.exe located under "Windows Offline Installation".
Save the file to your desktop.
Do not select Run.
Double click on the saved file (jre-6u22-windows-i586.exe) to install the update.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.
Please perform the following scan:
This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
DO NOT surf the net while your resident protection is disabled!
Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
Please perform a Kaspersky Online Scan of your computer by clicking here (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1240137288999) or here (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html).
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run (at times it may appear to stall).
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report. To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
If you need help performing the above steps, an animated tutorial can be found here. (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
Please post the Kaspersky Online Scan log and a new DDS scan log in your next reply and let me know how she's running.
Hi JonTom,
All done and Kaspersky log below.
Running well - I'm even tempted to say better than before all this started!
Matt
PS - The bottom three files shown in the log are from a website I manage, which I know was compromised at a point in the past.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 23, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 22, 2010 15:10:58
Records in database: 4184543
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 202892
Threats found: 11
Infected objects found: 18
Suspicious objects found: 0
Scan duration: 05:22:05
File name / Threat / Threats count
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-13d8d47e Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-74709dc5 Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Downloader.Win32.Agent.odk 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Downloader.HTML.Agent.km 5
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan.Win32.Agent.zeg 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Downloader.Win32.Small.aeqm 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Trojan-Downloader.Win32.Agent.anaq 1
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.2.vir Infected: Trojan-Clicker.JS.Agent.h 1
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.3.vir Infected: Trojan-Clicker.HTML.IFrame.ey 1
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.4.vir Infected: Trojan-Clicker.HTML.IFrame.gt 1
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.vir Infected: Trojan-Clicker.JS.Agent.h 1
C:\Websites\BTCCPages download 090306\etcc\2004\index.php Infected: Trojan-Clicker.JS.Agent.h 1
C:\Websites\BTCCPages download 090306\shop\shopwindow\index.php Infected: Trojan-Downloader.JS.Iframe.as 1
C:\Websites\BTCCPages download 090306\teampsp\news\index.php Infected: Trojan-Clicker.HTML.IFrame.ob 1
Selected area has been scanned.
Hello mattl
Thank you for the log.
Kaspersky has identified a number of infected files that we will deal with in the steps below.
It has also identified some infections located in your MicroSoft Outlook e-mail archive. Unfortunatley the scan does not tell us which e-mails are infected, only that they are on your system. For this reason you are advised to access your Outlook e-mail archive and delete all old e-mails from anyone that you don't know, and any with attachments such as jokes or videos.
Information describing how to delete your archive can be found here: http://www.ehow.com/how_5100985_remove-outlook-archive.html
Please download OTM
Please download OTM by OldTimer by clicking here. (http://oldtimer.geekstogo.com/OTM.exe)
Save the file (called OTM.exe) to your desktop.
Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe
:Files
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-13d8d47e
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-74709dc5
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.2.vir
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.3.vir
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.4.vir
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.vir
C:\Websites\BTCCPages download 090306\etcc\2004\index.php
C:\Websites\BTCCPages download 090306\shop\shopwindow\index.php
C:\Websites\BTCCPages download 090306\teampsp\news\index.php
:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Start Explorer]
[Reboot]
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please post the OTM log and a new DDS log in your next reply.
Hi JonTom,
Have followed the instructions above. OTM and DDS logs below and attached.
Matt
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-13d8d47e moved successfully.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\4b9066a3-74709dc5 moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.2.vir moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.3.vir moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.4.vir moved successfully.
C:\Program Files\Alwil Software\Avast4\DATA\moved\index.html.vir moved successfully.
C:\Websites\BTCCPages download 090306\etcc\2004\index.php moved successfully.
C:\Websites\BTCCPages download 090306\shop\shopwindow\index.php moved successfully.
C:\Websites\BTCCPages download 090306\teampsp\news\index.php moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 110142359 bytes
->Temporary Internet Files folder emptied: 9083769 bytes
->Java cache emptied: 79156254 bytes
->FireFox cache emptied: 47153505 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 166788 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 109915424 bytes
Total Files Cleaned = 339.00 mb
OTM by OldTimer - Version 3.1.16.1 log created on 10232010_133325
Files moved on Reboot...
File C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\1008 not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF707D.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7092.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7249.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF72BE.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7E9E.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7EB4.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB20.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB34.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDAE.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE3F.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE6.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE61.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFF63.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFFB3.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\;scat=computersoftware;sscat=othercomputersoftware;art=5100985;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=4;qcseg=D;tile=3;sz=300x250;ord=3558733870069838[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\how_5100985_remove-outlook-archive[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\iframe3[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZFZWB89F\info[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\like[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\like[2].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\pngbehavior[1].htc moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MAWN3SDR\xd_receiver[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4FDXEDYD\accounts_hub[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3CG14JYI\;scat=computersoftware;sscat=othercomputersoftware;art=5100985;qg=;tc=;vid=0;ctype=articles;ugc=0;lvl=4;qcseg=D;tile=4;sz=300x310;ord=3558733870069838[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3CG14JYI\sh25[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\3CG14JYI\showthread[2].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_328.dat moved successfully.
Registry entries deleted on Reboot...
-----
DDS (Ver_10-10-21.02) - NTFSx86
Run by Administrator at 13:42:12.32 on 23/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1282 [GMT 1:00]
AV: avast! antivirus 4.8.1368 [VPS 101023-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://agaycam01.dyndns.org:8083/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://managemyaccount.baa.com/vpns/scripts/vista/nsload.ocx
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: c:\windows\system32\APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = SbHpNp scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\yz7gskh7.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-2-7 100495]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-3-30 13696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-25 114768]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-2-7 5808]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-25 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-4-25 138680]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-3-30 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-27 540448]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-4-25 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-4-25 352920]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-9-19 36608]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2010-4-5 73368]
S2 ALIWEHCD;Belkin All-In-One Print Server Enhanced Controller;c:\windows\system32\drivers\mfpec.sys --> c:\windows\system32\drivers\mfpec.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
S3 WUSBVBus;MFP Server Detector;c:\windows\system32\drivers\mfpvbus.sys --> c:\windows\system32\drivers\mfpvbus.sys [?]
=============== Created Last 30 ================
2010-10-23 12:33:25 -------- d-----w- C:\_OTM
2010-10-22 21:36:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-22 21:21:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-22 21:21:59 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-22 21:06:08 -------- d-----w- c:\program files\Sun
2010-10-22 20:54:53 -------- d-----w- c:\windows\system32\appmgmt
2010-10-22 19:31:33 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-10-22 19:31:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 19:31:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-22 19:31:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 19:31:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-21 22:19:38 -------- d-----w- C:\cf13849c
2010-10-19 22:25:12 -------- d-sha-r- C:\cmdcons
2010-10-19 22:23:29 -------- d-----w- C:\cf1
2010-10-19 20:20:51 98816 ----a-w- c:\windows\sed.exe
2010-10-19 20:20:51 77312 ----a-w- c:\windows\MBR.exe
2010-10-19 20:20:51 256512 ----a-w- c:\windows\PEV.exe
2010-10-19 20:20:51 161792 ----a-w- c:\windows\SWREG.exe
2010-10-17 21:13:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-17 21:13:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-17 21:12:58 -------- d-----w- c:\program files\Belkin
2010-10-17 21:12:54 -------- d-----w- c:\program files\TweetDeck
2010-10-15 20:15:58 -------- d-----w- c:\program files\ESET
2010-10-15 19:52:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-15 19:52:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-15 07:38:31 -------- d-----w- c:\program files\Trend Micro
2010-10-14 22:07:44 -------- d-----w- c:\program files\common files\iS3
2010-10-11 20:56:11 -------- d-----w- c:\program files\TweetDeck(2)
2010-10-09 18:23:54 -------- d-----w- c:\docume~1\admini~1\applic~1\Process Hacker 2
==================== Find3M ====================
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet(3)(2)(3).dll
2010-09-10 05:58:08 1210880 ----a-w- c:\windows\system32\urlmon(3)(2)(3).dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1986560 ----a-w- c:\windows\system32\iertutil(2)(2)(3).dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58:05 11080192 ----a-w- c:\windows\system32\ieframe(2)(2)(3).dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd(3)(2)(3).dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k(2)(2)(2).sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32(2)(2)(2).dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4(2)(2)(3).dll
2010-07-25 21:14:18 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
============= FINISH: 13:43:47.21 ===============
Hello mattl
You log appears to be clean.
Good work :)
Please work through the following steps:
Please Uninstall Combofix
Click on "Start" and then on "Run".
Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
Double click on the OTM.exe icon on your desktop to run the program. (Note: If you are running Vista/Windows 7, right-click on the file and choose Run As Administrator).
Once OTM has opened, click on the "CleanUp!" button.
Follow any prompts that you receive.
Removal of Tools
You no longer need MBRCheck, SystemLook, TDSSKiller, Rootkit Unhooker or Norton Removal Tool. Please delete them from your machine.
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
Hi JonTom,
I have followed through your final instructions and all seems to be running smoothly. I think all that is left is for me to thank you for helping me get my pc back!
I hope I don't need your help again, but I am very grateful for what you have done and I won't hesitate to recommend the site to friends.
Thanks again,
Matt
You are Very Welcome mattl
Glad we could help :)
Best wishes
JonTom
Since this problem appears to be resolved this topic is now closed.
If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request).
Everyone else please start a new topic.
Best wishes
JonTom