I have Click.GiftLoad on my PC. Spybot S&D detected it and said it was removed but it keeps recurring. I removed it in Safe Mode. I also ran Malware Bites and SuperAntiSpyware but they did not detect it.
Spybot also detected Win32.Fraudload.edt and seems to have removed it.

The malware redirects web searches, but not consistently. It also seems to interfere with system stability. My PC has become unstable and svchost.exe seems to be using high resources and crashing. I have had several blue screen crashes today.

I have used a registry cleaner in the recent past, not being being aware that this was unwise. I have also restored to a previous system restore point when I first realised I had a problem.

I would be very grateful for help in resolving this problem.

Here is the dds.txt file.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Peter Herron at 21:34:44.89 on 13/03/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.882 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\oodag.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Users\Peter Herron\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Peter Herron\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Users\Peter Herron\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:55192
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\peter herron\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flash capture\fciext.dll/FCIEXT.htm
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
Hosts: 195.122.131.250 rapidshare.com
Hosts: 195.122.131.250 www.rapidshare.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\peterh~1\appdata\roaming\mozilla\firefox\profiles\y6gzbwgg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\users\peter herron\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\peter herron\appdata\roaming\mozilla\firefox\profiles\y6gzbwgg.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-12 20328]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-20 21504]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-3-13 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-15 136176]
S3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMT03.sys [2007-5-9 40848]
S3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTV.sys [2007-5-9 38280]
S3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\j river\media jukebox 14\JRService.exe [2011-1-26 379400]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2007-5-9 47496]
S4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2007-5-9 32136]
S4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-5-9 34176]
S4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-5-9 28800]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-03-13 19:42:54 -------- d-----w- c:\program files\CCleaner
2011-03-13 18:02:51 -------- d-----w- c:\users\peterh~1\appdata\roaming\SUPERAntiSpyware.com
2011-03-13 18:02:51 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-13 18:02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-13 14:57:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-13 14:57:51 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-03-13 00:20:31 -------- d-----w- c:\program files\Wise PC Engineer
2011-02-24 09:50:15 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-24 09:49:13 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-24 09:49:13 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-24 09:49:13 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-24 09:49:03 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-24 09:49:03 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-22 16:12:20 -------- d-----w- c:\users\peterh~1\appdata\roaming\FastStone
2011-02-22 16:12:09 -------- d-----w- c:\program files\FastStone Photo Resizer
.
==================== Find3M ====================
.
2011-02-15 08:46:36 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: SAMSUNG_HD321KJ rev.CP100-10 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8648C439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864927d0]; MOV EAX, [0x8649284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8244D912] -> \Device\Harddisk0\DR0[0x8563B780]
3 CLASSPNP[0x82FA08B3] -> ntkrnlpa!IofCallDriver[0x8244D912] -> [0x8540A8C0]
5 acpi[0x806996BC] -> ntkrnlpa!IofCallDriver[0x8244D912] -> [0x85408030]
\Driver\atapi[0x86477E70] -> IRP_MJ_CREATE -> 0x8648C439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-0 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-10#5&225fea8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 21:35:46.59 ===============


This is the Spybot report:


Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Right Media: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-13 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-08 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-08 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-03 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-08 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

I would be very grateful for any help in removing this. I hope I have followed your instructions. I am aware another person has posted a nearly identical issue.

Hello pherron and :welcome:

My name is JonTom

Malware Logs can sometimes take a lot of time to research and interpret.

Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

PLEASE NOTE: If you do not reply after 5 days your thread will be closed.


Before we do any fixing I would like to see a report from the following scan:

Please scan your system with GMER


http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Right click on GMER.exe and select "Run as Administrator" to run the program. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
If GMER does not produce a log please try running it from Safe Mode.




How to use the F8 method to Start Your Computer in Safe Mode

Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.

If GMER in safe mode does not work, please try Rootkit Unhooker:



Rootkit Unhooker


Please Download Rootkit Unhooker (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE) and Save it to your desktop.
Right click on RKUnhookerLE.exe and select "Run as administrator" to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.


Copy the entire contents of the report and paste it in your next reply here.

Note: You may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Please provide the GMER/Rootkit Unhooker log in your next reply. If you are still having trouble, come back and let me know.

Mant thanks for your help.
Running GMER caused a blue screen twice, so I unchecked everything except "Sections" and "C\:"

Here is the result:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-14 18:32:46
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\PETERH~1\AppData\Local\Temp\uxriipog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 82CBFB74 4 Bytes [80, B7, 2F, A5]
.text ntkrnlpa.exe!KeSetEvent + 621 82CBFDA4 8 Bytes [20, D6, 30, 8E, D0, B8, 2F, ...] {AND DH, DL; XOR [ESI-0x5ad04730], CL}
.text ntkrnlpa.exe!KeSetEvent + 681 82CBFE04 4 Bytes JMP B2856E8B
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CC04340, 0x39DB57, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[404] ntdll.dll!NtProtectVirtualMemory 76E64B84 5 Bytes JMP 0185000A
.text C:\Windows\Explorer.EXE[404] ntdll.dll!NtWriteVirtualMemory 76E654C4 5 Bytes JMP 018D000A
.text C:\Windows\Explorer.EXE[404] ntdll.dll!KiUserExceptionDispatcher 76E65BF8 5 Bytes JMP 0179000A
.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 76E64B84 5 Bytes JMP 0071000A
.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 76E654C4 5 Bytes JMP 0076000A
.text C:\Windows\system32\svchost.exe[1400] ntdll.dll!KiUserExceptionDispatcher 76E65BF8 5 Bytes JMP 000F000A
.text C:\Windows\system32\svchost.exe[1400] ole32.dll!CoCreateInstance 74F79F3E 5 Bytes JMP 00DC000A

---- EOF - GMER 1.0.15 ----

Hello pherron

Thank you for the log.

Lets start with the following:

P2P Programs:


P2P programs are a major source of Malware infections.
From your log I see you have BitTorrent complete and BitTornado. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
If you wish to keep the program(s), please do not use them until your computer is cleaned.


Information regarding the risk of using these programs can be found from here (http://malwareremoval.com/p2pindex.php) and here. (http://www.internetworldstats.com/articles/art053.htm)


It is strongly recommend that you uninstall any P2P programs you have on your system.


To do this, Click on the "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
A list of currently installed programs will be displayed.
Find the "BitTorrent complete" and "BitTornado" programs, click on them once and then click on the "Uninstall" button.
If you are prompted to re-boot your computer to complete the uninstall please do so.


PLEASE NOTE:
Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.



Toolbars


I can see that you have the uTorrentBar Toolbar installed.
I recommend that you uninstall this toolbar from your machine.
To do this, Click on the "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
A list of currently installed programs will be displayed.
Find the "uTorrentBar Toolbar", click on it once and then click on the "Uninstall" button.
If you are prompted to re-boot your computer to complete the uninstall please do so.



TDSS Killer


Please read carefully and follow these steps.
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and Right click on TDSSKiller.exe and select "Run as Administrator" to run the application.
Click on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Please post the TDSSKiller log in your next reply :)

Ok thanks - really appreciate your time. Removed programs.
Ran TDSSKiller and it asked for a reboot to cure one problem. Log file fom root directory:


2011/03/14 19:14:55.0428 4152 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/14 19:14:56.0822 4152 ================================================================================
2011/03/14 19:14:56.0822 4152 SystemInfo:
2011/03/14 19:14:56.0822 4152
2011/03/14 19:14:56.0822 4152 OS Version: 6.0.6002 ServicePack: 2.0
2011/03/14 19:14:56.0822 4152 Product type: Workstation
2011/03/14 19:14:56.0822 4152 ComputerName: PETERHERRON-PC
2011/03/14 19:14:56.0823 4152 UserName: Peter Herron
2011/03/14 19:14:56.0823 4152 Windows directory: C:\Windows
2011/03/14 19:14:56.0823 4152 System windows directory: C:\Windows
2011/03/14 19:14:56.0823 4152 Processor architecture: Intel x86
2011/03/14 19:14:56.0823 4152 Number of processors: 2
2011/03/14 19:14:56.0823 4152 Page size: 0x1000
2011/03/14 19:14:56.0823 4152 Boot type: Normal boot
2011/03/14 19:14:56.0823 4152 ================================================================================
2011/03/14 19:14:57.0196 4152 Initialize success
2011/03/14 19:15:23.0281 5212 ================================================================================
2011/03/14 19:15:23.0281 5212 Scan started
2011/03/14 19:15:23.0281 5212 Mode: Manual;
2011/03/14 19:15:23.0281 5212 ================================================================================
2011/03/14 19:15:24.0243 5212 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/03/14 19:15:24.0297 5212 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/03/14 19:15:24.0338 5212 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/03/14 19:15:24.0389 5212 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/03/14 19:15:24.0418 5212 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/03/14 19:15:24.0471 5212 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
2011/03/14 19:15:24.0505 5212 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/03/14 19:15:24.0528 5212 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/03/14 19:15:24.0558 5212 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/03/14 19:15:24.0594 5212 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/03/14 19:15:24.0626 5212 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/03/14 19:15:24.0651 5212 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/03/14 19:15:24.0678 5212 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/03/14 19:15:24.0704 5212 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/03/14 19:15:24.0739 5212 APLMp50 (1bf91f352d746ad7469fa71783b5fae8) C:\Windows\system32\Drivers\APLMp50.sys
2011/03/14 19:15:24.0777 5212 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/03/14 19:15:24.0800 5212 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/03/14 19:15:24.0842 5212 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/14 19:15:24.0876 5212 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/03/14 19:15:24.0959 5212 AVGIDSDriver (5f6c56305ea73760cdafc7604d64bbe0) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/03/14 19:15:25.0021 5212 AVGIDSEH (20a2d48722cf055c846bdeafa4f733ce) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2011/03/14 19:15:25.0047 5212 AVGIDSFilter (0a95333ca80ca8b79d612f3965466cc0) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/03/14 19:15:25.0108 5212 AVGIDSShim (ab7e4b37126447ffe4fb639901012fb3) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2011/03/14 19:15:25.0158 5212 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\Windows\system32\DRIVERS\avgldx86.sys
2011/03/14 19:15:25.0205 5212 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\Windows\system32\DRIVERS\avgmfx86.sys
2011/03/14 19:15:25.0320 5212 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\Windows\system32\DRIVERS\avgrkx86.sys
2011/03/14 19:15:25.0347 5212 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\Windows\system32\DRIVERS\avgtdix.sys
2011/03/14 19:15:25.0392 5212 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/03/14 19:15:25.0494 5212 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/14 19:15:25.0530 5212 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/03/14 19:15:25.0551 5212 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/03/14 19:15:25.0581 5212 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/03/14 19:15:25.0611 5212 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/03/14 19:15:25.0631 5212 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/03/14 19:15:25.0656 5212 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/03/14 19:15:25.0686 5212 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/03/14 19:15:25.0722 5212 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/14 19:15:25.0757 5212 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/14 19:15:25.0783 5212 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/03/14 19:15:25.0816 5212 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/03/14 19:15:25.0883 5212 CmBatt (0fed59edb4a83ff17f1778827b88ab1a) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/14 19:15:25.0904 5212 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/03/14 19:15:25.0925 5212 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/14 19:15:26.0014 5212 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\Windows\system32\drivers\cpuz134_x32.sys
2011/03/14 19:15:26.0035 5212 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/03/14 19:15:26.0059 5212 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/03/14 19:15:26.0105 5212 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/03/14 19:15:26.0138 5212 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/03/14 19:15:26.0183 5212 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/03/14 19:15:26.0228 5212 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/14 19:15:26.0264 5212 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/03/14 19:15:26.0314 5212 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/03/14 19:15:26.0374 5212 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/03/14 19:15:26.0427 5212 EMSCR (1fa3f9df8983873746fa6b72dd7e3c2c) C:\Windows\system32\drivers\ems7sk.sys
2011/03/14 19:15:26.0452 5212 ESDCR (9c7487253aad6bf61f9bc83d50e32ccc) C:\Windows\system32\drivers\esd7sk.sys
2011/03/14 19:15:26.0484 5212 ESMCR (99589d975da04f8bd31f124428fcc797) C:\Windows\system32\drivers\esm7sk.sys
2011/03/14 19:15:26.0535 5212 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/03/14 19:15:26.0570 5212 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/03/14 19:15:26.0604 5212 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/14 19:15:26.0640 5212 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/03/14 19:15:26.0673 5212 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/03/14 19:15:26.0693 5212 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/14 19:15:26.0718 5212 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/03/14 19:15:26.0750 5212 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/14 19:15:26.0776 5212 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/03/14 19:15:26.0798 5212 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2011/03/14 19:15:26.0841 5212 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/03/14 19:15:26.0891 5212 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/14 19:15:26.0929 5212 HECI (d0fc694df051bc65946db616f20d1168) C:\Windows\system32\drivers\heci.sys
2011/03/14 19:15:26.0951 5212 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/03/14 19:15:26.0972 5212 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/03/14 19:15:27.0011 5212 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/14 19:15:27.0036 5212 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/03/14 19:15:27.0116 5212 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/03/14 19:15:27.0138 5212 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/03/14 19:15:27.0174 5212 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/14 19:15:27.0273 5212 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/03/14 19:15:27.0334 5212 IAMT03 (1606409e855c95a5d001847559f239cf) C:\Windows\system32\drivers\iamt03.sys
2011/03/14 19:15:27.0370 5212 IAMTV (948acc7308e6814615b60524501b2deb) C:\Windows\system32\drivers\iamtv.sys
2011/03/14 19:15:27.0401 5212 IAMTXP (8f63a5672fcd5d66c709dcc0c0124b86) C:\Windows\system32\drivers\iamtxp.sys
2011/03/14 19:15:27.0434 5212 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/03/14 19:15:27.0531 5212 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/03/14 19:15:27.0587 5212 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/03/14 19:15:27.0655 5212 IntcAzAudAddService (5d854cbac8b7b4b964406f9808c95fae) C:\Windows\system32\drivers\RTKVHDA.sys
2011/03/14 19:15:27.0698 5212 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2011/03/14 19:15:27.0737 5212 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/14 19:15:27.0764 5212 ioatdma (c86dba11dc1d9dcf8788bb40cfc787f4) C:\Windows\system32\drivers\ioatdma.sys
2011/03/14 19:15:27.0805 5212 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/14 19:15:27.0845 5212 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/03/14 19:15:27.0881 5212 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/03/14 19:15:27.0950 5212 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/03/14 19:15:27.0970 5212 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/03/14 19:15:28.0009 5212 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/14 19:15:28.0034 5212 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/03/14 19:15:28.0054 5212 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/03/14 19:15:28.0085 5212 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/14 19:15:28.0121 5212 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/03/14 19:15:28.0167 5212 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/14 19:15:28.0251 5212 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/14 19:15:28.0290 5212 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/03/14 19:15:28.0314 5212 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/03/14 19:15:28.0338 5212 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/03/14 19:15:28.0370 5212 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/03/14 19:15:28.0440 5212 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/03/14 19:15:28.0471 5212 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/03/14 19:15:28.0498 5212 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/14 19:15:28.0533 5212 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/14 19:15:28.0559 5212 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/14 19:15:28.0598 5212 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/03/14 19:15:28.0622 5212 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/03/14 19:15:28.0654 5212 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/14 19:15:28.0681 5212 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/03/14 19:15:28.0716 5212 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/03/14 19:15:28.0746 5212 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/14 19:15:28.0768 5212 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/14 19:15:28.0787 5212 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/14 19:15:28.0810 5212 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/03/14 19:15:28.0844 5212 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/03/14 19:15:28.0889 5212 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/03/14 19:15:28.0909 5212 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/03/14 19:15:28.0998 5212 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/14 19:15:29.0017 5212 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/14 19:15:29.0035 5212 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/03/14 19:15:29.0074 5212 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/03/14 19:15:29.0105 5212 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/14 19:15:29.0126 5212 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/03/14 19:15:29.0157 5212 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\Windows\system32\drivers\asacpi.sys
2011/03/14 19:15:29.0186 5212 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/03/14 19:15:29.0220 5212 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/14 19:15:29.0270 5212 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/03/14 19:15:29.0308 5212 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/14 19:15:29.0344 5212 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/14 19:15:29.0364 5212 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/14 19:15:29.0397 5212 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/03/14 19:15:29.0432 5212 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/14 19:15:29.0455 5212 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/14 19:15:29.0576 5212 NETw3v32 (a15f219208843a5a210c8cb391384453) C:\Windows\system32\DRIVERS\NETw3v32.sys
2011/03/14 19:15:29.0628 5212 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/03/14 19:15:29.0668 5212 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\Windows\system32\drivers\nmwcd.sys
2011/03/14 19:15:29.0697 5212 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\Windows\system32\drivers\nmwcdc.sys
2011/03/14 19:15:29.0716 5212 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcj.sys
2011/03/14 19:15:29.0737 5212 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcm.sys
2011/03/14 19:15:29.0856 5212 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys
2011/03/14 19:15:29.0886 5212 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/03/14 19:15:29.0922 5212 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/14 19:15:29.0986 5212 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/03/14 19:15:30.0033 5212 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/03/14 19:15:30.0066 5212 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/03/14 19:15:30.0255 5212 nvlddmkm (2088f34df31243c79df3e9f6f774a512) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/03/14 19:15:30.0461 5212 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/03/14 19:15:30.0497 5212 nvsmu (1968391131672f59c4734afe66ee075a) C:\Windows\system32\drivers\nvsmu.sys
2011/03/14 19:15:30.0524 5212 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/03/14 19:15:30.0552 5212 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/03/14 19:15:30.0624 5212 O2MDRDR (634ff60f418792906887b3d6ceecb431) C:\Windows\system32\drivers\o2media.sys
2011/03/14 19:15:30.0652 5212 O2SDRDR (694b4555cec16397aa8731ce87fc1e11) C:\Windows\system32\drivers\o2sd.sys
2011/03/14 19:15:30.0675 5212 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/03/14 19:15:30.0755 5212 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
2011/03/14 19:15:30.0789 5212 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/03/14 19:15:30.0807 5212 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
2011/03/14 19:15:30.0842 5212 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/03/14 19:15:30.0874 5212 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys
2011/03/14 19:15:30.0900 5212 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/03/14 19:15:30.0944 5212 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/03/14 19:15:31.0000 5212 pfc (444f122e68db44c0589227781f3c8b3f) C:\Windows\system32\drivers\pfc.sys
2011/03/14 19:15:31.0060 5212 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/14 19:15:31.0086 5212 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/03/14 19:15:31.0134 5212 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/14 19:15:31.0208 5212 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/03/14 19:15:31.0252 5212 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/03/14 19:15:31.0301 5212 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/14 19:15:31.0326 5212 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/14 19:15:31.0358 5212 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/14 19:15:31.0395 5212 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/14 19:15:31.0425 5212 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/14 19:15:31.0465 5212 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/14 19:15:31.0484 5212 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/14 19:15:31.0517 5212 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/03/14 19:15:31.0535 5212 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/14 19:15:31.0573 5212 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/03/14 19:15:31.0629 5212 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/14 19:15:31.0653 5212 RTL8169 (283392af1860ecdb5e0f8ebd7f3d72df) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/03/14 19:15:31.0764 5212 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/03/14 19:15:31.0814 5212 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/03/14 19:15:31.0837 5212 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/03/14 19:15:31.0911 5212 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
2011/03/14 19:15:31.0947 5212 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/03/14 19:15:31.0993 5212 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/03/14 19:15:32.0018 5212 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/03/14 19:15:32.0058 5212 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/03/14 19:15:32.0102 5212 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/03/14 19:15:32.0124 5212 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/03/14 19:15:32.0147 5212 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/03/14 19:15:32.0164 5212 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/03/14 19:15:32.0242 5212 SI3132 (c822e0db4f64be45f7a6da13e99a185c) C:\Windows\system32\drivers\si3132.sys
2011/03/14 19:15:32.0267 5212 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\Windows\system32\drivers\siwinacc.sys
2011/03/14 19:15:32.0299 5212 SiRemFil (41a59f484188be629087ba391ff60d74) C:\Windows\system32\drivers\siremfil.sys
2011/03/14 19:15:32.0328 5212 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/03/14 19:15:32.0358 5212 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/03/14 19:15:32.0388 5212 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/03/14 19:15:32.0433 5212 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/03/14 19:15:32.0490 5212 smserial (c8a58fc905c9184fa70e37f71060c64d) C:\Windows\system32\DRIVERS\smserial.sys
2011/03/14 19:15:32.0547 5212 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/03/14 19:15:32.0589 5212 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/03/14 19:15:32.0617 5212 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/14 19:15:32.0635 5212 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/14 19:15:32.0684 5212 ssm_bus (14622ae81c72b08691eedaabc1d4a129) C:\Windows\system32\DRIVERS\ssm_bus.sys
2011/03/14 19:15:32.0725 5212 ssm_mdfl (43ee5e9fda61a5e0eac4c1de699e6e4d) C:\Windows\system32\DRIVERS\ssm_mdfl.sys
2011/03/14 19:15:32.0764 5212 ssm_mdm (918cfd32c7feb174f356a0a6fad11f4b) C:\Windows\system32\DRIVERS\ssm_mdm.sys
2011/03/14 19:15:32.0822 5212 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys
2011/03/14 19:15:32.0860 5212 StillCam (7a95b5deb594616f1693486b8161411e) C:\Windows\system32\DRIVERS\serscan.sys
2011/03/14 19:15:32.0894 5212 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/14 19:15:32.0928 5212 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/03/14 19:15:32.0951 5212 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/03/14 19:15:32.0973 5212 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/03/14 19:15:33.0032 5212 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/03/14 19:15:33.0068 5212 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/14 19:15:33.0105 5212 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/14 19:15:33.0139 5212 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/03/14 19:15:33.0160 5212 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/03/14 19:15:33.0195 5212 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/14 19:15:33.0233 5212 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/14 19:15:33.0281 5212 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/14 19:15:33.0316 5212 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/03/14 19:15:33.0353 5212 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/14 19:15:33.0380 5212 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/03/14 19:15:33.0408 5212 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/14 19:15:33.0449 5212 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/03/14 19:15:33.0486 5212 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/03/14 19:15:33.0516 5212 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/03/14 19:15:33.0547 5212 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/03/14 19:15:33.0590 5212 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/14 19:15:33.0627 5212 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
2011/03/14 19:15:33.0709 5212 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2011/03/14 19:15:33.0751 5212 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2011/03/14 19:15:33.0788 5212 usbbus (cccece399b1990d63bfc8de8161dd838) C:\Windows\system32\DRIVERS\lgusbbus.sys
2011/03/14 19:15:33.0816 5212 USBCamera (2038824260efdffa6f78d9bef767622d) C:\Windows\system32\Drivers\Bulk50x.sys
2011/03/14 19:15:33.0842 5212 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/14 19:15:33.0865 5212 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/03/14 19:15:33.0892 5212 UsbDiag (b2ef4693e17404a178da88318c5236b8) C:\Windows\system32\DRIVERS\lgusbdiag.sys
2011/03/14 19:15:33.0931 5212 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/14 19:15:33.0966 5212 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/14 19:15:33.0990 5212 USBModem (eb16939525ed91fb649ec68afc865dce) C:\Windows\system32\DRIVERS\lgusbmodem.sys
2011/03/14 19:15:34.0014 5212 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/03/14 19:15:34.0084 5212 USBPNPA (41b758cff0a3c10a69e088f440677399) C:\Windows\system32\drivers\CM108.sys
2011/03/14 19:15:34.0143 5212 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/03/14 19:15:34.0176 5212 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/03/14 19:15:34.0217 5212 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/14 19:15:34.0242 5212 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/14 19:15:34.0277 5212 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/14 19:15:34.0317 5212 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/03/14 19:15:34.0349 5212 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/03/14 19:15:34.0376 5212 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\Windows\system32\drivers\viaagp1.sys
2011/03/14 19:15:34.0402 5212 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/03/14 19:15:34.0433 5212 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/03/14 19:15:34.0461 5212 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/03/14 19:15:34.0503 5212 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/03/14 19:15:34.0544 5212 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/03/14 19:15:34.0577 5212 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/03/14 19:15:34.0637 5212 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/03/14 19:15:34.0674 5212 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/14 19:15:34.0685 5212 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/14 19:15:34.0723 5212 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/03/14 19:15:34.0765 5212 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/14 19:15:34.0847 5212 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/03/14 19:15:34.0894 5212 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/03/14 19:15:34.0931 5212 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/14 19:15:34.0973 5212 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/14 19:15:35.0020 5212 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/03/14 19:15:35.0069 5212 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/14 19:15:35.0072 5212 ================================================================================
2011/03/14 19:15:35.0072 5212 Scan finished
2011/03/14 19:15:35.0072 5212 ================================================================================
2011/03/14 19:15:35.0082 5368 Detected object count: 1
2011/03/14 19:15:41.0165 5368 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/14 19:15:41.0165 5368 \HardDisk1 - ok
2011/03/14 19:15:41.0166 5368 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/03/14 19:16:02.0817 5260 Deinitialize success

Hello pherron

Thank you for the log.

We now need to run ComboFix on this machine. AVG is known to interfere with ComboFix and prevent it from functioning correctly. Your AVG must be fully uninstalled before running ComboFix.

Once you have uninstalled AVG please refrain from using the net except to download the required tools and to post logs back here.

Combofix


Download ComboFix from one of the following locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)


VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Right click on ComboFix.exe and select "Run as Administrator" to run the program. Follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Should there be issues with internet afterward:

In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Ok, all instructions carefully followed. Log file from ComboFix pasted below.
Can I re-install AVG now?
Again, many thanks for this.



ComboFix 11-03-13.02 - Peter Herron 14/03/2011 20:49:07.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1088 [GMT 0:00]
Running from: c:\users\Peter Herron\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ABBYY FineReader 6.0 Sprint\ABBYY FineReader 6.0 Sprint.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ABBYY FineReader 6.0 Sprint\User's Guide.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ArcSoft PhotoImpression 6\PhotoImpression 6 Monitor.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ArcSoft PhotoImpression 6\PhotoImpression 6.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Attach To Email\EPSON Attach To Email.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Attach To Email\Read Me.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Attach To Email\Uninstall EPSON Attach To Email.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Copy Utility\EPSON Copy Utility ReadMe.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Copy Utility\EPSON Copy Utility.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\EPSON Copy Utility.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\EPSON File Manager.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\File Manager\EPSON File Manager Uninstall.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\File Manager\EPSON File Manager.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\File Manager\Readme.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Scan Assistant\Scan Assistant.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON PERFECTION V200 PHOTO Manual.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Scan\EPSON Scan.lnk
c:\windows\system32\Ijl11.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-13 21:19 . 2011-03-13 21:20 -------- d-----w- c:\program files\ERUNT
2011-03-13 19:42 . 2011-03-13 20:53 -------- d-----w- c:\program files\CCleaner
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\SUPERAntiSpyware.com
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-13 14:57 . 2011-03-13 15:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-03-13 14:57 . 2011-03-13 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-13 00:20 . 2011-03-13 00:20 -------- d-----w- c:\program files\Wise PC Engineer
2011-02-24 09:50 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-24 09:49 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-24 09:49 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-24 09:49 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\FastStone
2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\program files\FastStone Photo Resizer
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-15 08:46 . 2007-08-03 14:53 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2011-01-20 16:37 . 2011-02-09 20:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 20:28 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 20:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 20:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-09 20:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 20:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-09 20:28 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 20:28 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 20:28 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 20:28 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 20:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 20:28 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 20:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 20:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 20:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 20:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 20:28 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-09 20:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 20:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 20:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 20:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 20:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 20:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 20:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 20:28 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-09 20:28 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-09 20:28 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-09 20:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 20:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 20:28 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-12 08:30 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27 . 2011-02-09 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22 . 2011-02-09 20:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22 . 2011-02-09 20:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22 . 2011-02-09 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 06:22 . 2011-02-09 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 05:25 . 2011-02-09 20:27 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48 . 2011-02-09 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47 . 2011-02-09 20:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Google Update"="c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-601883706-1770117181-183331753-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamt03.sys [2006-10-18 40848]
R3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtv.sys [2006-10-18 38280]
R3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\J River\Media Jukebox 14\JRService.exe [2010-07-15 379400]
R3 Normandy;Normandy SR2; [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtxp.sys [2006-10-18 47496]
R4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2006-10-11 32136]
R4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
R4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-12-19 28800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000Core.job
- c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000UA.job
- c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
.
2011-03-14 c:\windows\Tasks\User_Feed_Synchronization-{3B3713E4-0FE5-41F5-864D-900F8ABFEE9A}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:55192
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 21:00
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
.
[HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*2*2**0ÿÊlÿåen0¢0Ö0Ê0¤0Åe
0\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\SecuROM\License information*]
"datasecu"=hex:b8,0b,be,2b,d5,79,0a,da,fb,d5,94,ca,b6,20,6b,9f,04,e7,f0,86,70,
09,e7,f4,62,3d,44,ef,ca,b5,d7,4e,6e,08,c8,cf,2c,76,41,b6,7f,9c,25,23,82,91,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BA2B984156DEBACF8DE2A795030EFB725C3D79A25699CAE27E652D28EDD7DEFED6325E29F5B8FCB23E5BBBB6A88D0680143916C2D4D133769A735A65FBE2B80D1CD134301A85F73864A19EA3E1ABA512CE6AA3DE8091EA2260EDB143907AC7C3F4081CDE00201D7A4A59631739838F934A26A561B79CBE61B06A02718D9B4EABC4180701AF26AB1F3B5197C611A25E91E8B2CC4B75EFB7EF71FF5AEAFBFCA59C8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452BA7FD869164D6794DD36A2B39CE43F2A6FE0154F190DCA6E23441B435D3DAB364D0B29572871CD29B59EC8A49B07BF97FE66D553712CF7A420D951B6BA12AF43735F3CADB3F74580C87C08D6288234A89AD99397E3671AA53E8D3C6D34E1D149364277137CFD135009A4077AD930AFC5AAA13587D03C55A7FBFA222E137165EB5027A24E55AEDDC6877C2FEE2B3EC94A3D3BE4C27A7E50D20055907486D644BF9D92CAD4F4054C857A812FCBFA2F9C08FEB6921A8C54B7C392DF56F01D00CA4F229E42D5F3518F253EC079590ED746C1C6B8F19491393A8B20F48906CDAA5998027B1E31D23957AFD1DDC2948B62EAAE0B78F86CF97B8C30B98080CBF2EB540D8869B67B72B5D9255791072F7ECB2FFBE6C2E2919A3D662A1586588EC82B259423412A7B1A13D0F795A5039056663F4A9BF82FA5AB7502678999704C6F233886E36A59B07371798E787BB9CF67D8C8AD0D0EA17F4AEF9FC795646F39EEE5FDB200E3E8C80EC795448D8370BC671C7FABC28940A8754B0320D824B93D2FD46BDAD1C1C12A5B5CEA6989C6B25772FD1A43680A57E012F8F4B919A9FD73FC297835572912EC324DC3BF415FCC55089FD162CDBDF5196841BF5240DA2C2B0B6EA26B3253CADDCC0BECFEB07ED39F8CF766EE676A6DF9A63EB31A58AFF6E7EE05699B281020FC485AB7D077E51A5545D01ABECC6757DC5A5E24B615B65862219E53D6A3C08CFEAAD47AD556EC3C47DF46349FBAA18D4F7A65E74149110C84FEC4E725325C4CCC56E58F21B67F98F9E94CFD518F19AF965EE95C466FF3916F4AD3B3FE07EBE00118CE5338211DCF2958A7C787CF6120A6C0D4604623A82CF4A9F9C752F50F8FEE1D252817C657C93F8171636AA4A407AA4567D738A68B679E24BA38037978611A7851F3AC79D7AF61A1182715571D4E816E332903DD8F0BA528701E65B0ECA2BAA18E1FDCAED76F62D5DDED19DA9AA6BDA49FC10551382B7B08C31643DB4665BC707097FC0428BA4DA45896F940840226B4E6100F2F1F98C277B6C05CE2F47F41A4595059372B095EF37084AEC1511835CE9888644873EDD2901C4361CDF9889DE183BEB0AA5794098F659C243A8C64198716A1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-14 21:05:19
ComboFix-quarantined-files.txt 2011-03-14 21:05
.
Pre-Run: 44,104,036,352 bytes free
Post-Run: 43,279,822,848 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4525E5DFADF763FDC0F8DC74C8874E02

By the way, Spybot is still showing me as infected with Click.GuestLoad.
I only ran a scan, I have taken no action and await your instructions.

Hello pherron

Thank you for the log.


Can I re-install AVG now? Lets leave it uninstalled for now. Don't worry, I'll let you know when to re-install it


Please work through the following steps


Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad then click on "OK").

NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

Copy and Paste the text in the quotebox below into the open Notepad window:


DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:55192

Firefox::
FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]




Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

Close any open browsers.

Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Refering to the picture below, drag CFScript.txt into ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif



When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Once the log is produced, re-engage your resident anti virus.



Temporary File Cleaner


Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Close any open windows.
Right click the TFC icon and select "Run as Administrator" to run the program.
TFC will close all open programs itself in order to run.
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish.
Once complete it should automatically reboot your machine.
If your machine does not reboot automatically, manually reboot to ensure a complete clean.
Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.



MalwareBytes AntiMalware:


I can see that you have MBAM installed.
Double click on your MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.


If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.


Please post the ComboFix log and the MBAM log in your next reply.

All instructions carefully followed.
ComboFix downloaded an update, but appeared to still run the script ok.
MalwareBytes found nothing.
Logs attached.

Thanks.


ComboFix 11-03-14.07 - Peter Herron 15/03/2011 18:08:49.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1135 [GMT 0:00]
Running from: c:\users\Peter Herron\Desktop\ComboFix.exe
Command switches used :: c:\users\Peter Herron\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\chrome.manifest
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\chrome\conduitengine.jar
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.js
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.xpt
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitToolbar.idl
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitToolbar.js
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitToolbar.xpt
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\RadioWMPCore.xpt
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\alertSettingsComponent.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\appContextMenu.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\engineContextMenu.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\engineSettings.json
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\fbAlert.js
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\getAppsContextMenu.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\postAppsContextMenu.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\toolbarContextMenu.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\unsharedAppsContextMenu.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\DualPackage\install.rdf
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\install.rdf
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\lib\xpcom.js
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\META-INF\manifest.mf
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\META-INF\zigbert.rsa
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\META-INF\zigbert.sf
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.gif
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.ico
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.PNG
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.src
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.xml
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\setup.ini
c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\version.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-15 18:18 . 2011-03-15 18:18 -------- d-----w- c:\users\Peter Herron\AppData\Local\temp
2011-03-15 18:18 . 2011-03-15 18:18 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-03-15 18:18 . 2011-03-15 18:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-14 22:31 . 2011-02-23 09:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D8DC095-35DA-4EE3-8E77-E1D612B549CA}\mpengine.dll
2011-03-14 19:22 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-14 19:22 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-14 19:22 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-14 19:22 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-14 19:22 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-14 19:22 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-13 21:19 . 2011-03-13 21:20 -------- d-----w- c:\program files\ERUNT
2011-03-13 19:42 . 2011-03-13 20:53 -------- d-----w- c:\program files\CCleaner
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\SUPERAntiSpyware.com
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-13 14:57 . 2011-03-13 15:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-03-13 14:57 . 2011-03-13 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-13 00:20 . 2011-03-13 00:20 -------- d-----w- c:\program files\Wise PC Engineer
2011-02-24 09:50 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-24 09:49 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-24 09:49 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-24 09:49 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\FastStone
2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\program files\FastStone Photo Resizer
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-15 08:46 . 2007-08-03 14:53 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2011-02-02 17:11 . 2009-10-03 09:09 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 20:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 20:28 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 20:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 20:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-09 20:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 20:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-09 20:28 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 20:28 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 20:28 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 20:28 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 20:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 20:28 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 20:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 20:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 20:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 20:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 20:28 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-09 20:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 20:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 20:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 20:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 20:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 20:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 20:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 20:28 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-09 20:28 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-09 20:28 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-09 20:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 20:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 20:28 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-12 08:30 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27 . 2011-02-09 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22 . 2011-02-09 20:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22 . 2011-02-09 20:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22 . 2011-02-09 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 06:22 . 2011-02-09 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 05:25 . 2011-02-09 20:27 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48 . 2011-02-09 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47 . 2011-02-09 20:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Google Update"="c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-601883706-1770117181-183331753-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamt03.sys [2006-10-18 40848]
R3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtv.sys [2006-10-18 38280]
R3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\J River\Media Jukebox 14\JRService.exe [2010-07-15 379400]
R3 Normandy;Normandy SR2; [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtxp.sys [2006-10-18 47496]
R4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2006-10-11 32136]
R4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
R4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-12-19 28800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000Core.job
- c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000UA.job
- c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
.
2011-03-15 c:\windows\Tasks\User_Feed_Synchronization-{3B3713E4-0FE5-41F5-864D-900F8ABFEE9A}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 18:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
.
[HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*2*2**0ÿÊlÿåen0¢0Ö0Ê0¤0Åe
0\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\SecuROM\License information*]
"datasecu"=hex:b8,0b,be,2b,d5,79,0a,da,fb,d5,94,ca,b6,20,6b,9f,04,e7,f0,86,70,
09,e7,f4,62,3d,44,ef,ca,b5,d7,4e,6e,08,c8,cf,2c,76,41,b6,7f,9c,25,23,82,91,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BA2B984156DEBACF8DE2A795030EFB725C3D79A25699CAE27E652D28EDD7DEFED6325E29F5B8FCB23E5BBBB6A88D0680143916C2D4D133769A735A65FBE2B80D1CD134301A85F73864A19EA3E1ABA512CE6AA3DE8091EA2260EDB143907AC7C3F4081CDE00201D7A4A59631739838F934A26A561B79CBE61B06A02718D9B4EABC4180701AF26AB1F3B5197C611A25E91E8B2CC4B75EFB7EF71FF5AEAFBFCA59C8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452BA7FD869164D6794DD36A2B39CE43F2A6FE0154F190DCA6E23441B435D3DAB364D0B29572871CD29B59EC8A49B07BF97FE66D553712CF7A420D951B6BA12AF43735F3CADB3F74580C87C08D6288234A89AD99397E3671AA53E8D3C6D34E1D149364277137CFD135009A4077AD930AFC5AAA13587D03C55A7FBFA222E137165EB5027A24E55AEDDC6877C2FEE2B3EC94A3D3BE4C27A7E50D20055907486D644BF9D92CAD4F4054C857A812FCBFA2F9C08FEB6921A8C54B7C392DF56F01D00CA4F229E42D5F3518F253EC079590ED746C1C6B8F19491393A8B20F48906CDAA5998027B1E31D23957AFD1DDC2948B62EAAE0B78F86CF97B8C30B98080CBF2EB540D8869B67B72B5D9255791072F7ECB2FFBE6C2E2919A3D662A1586588EC82B259423412A7B1A13D0F795A5039056663F4A9BF82FA5AB7502678999704C6F233886E36A59B07371798E787BB9CF67D8C8AD0D0EA17F4AEF9FC795646F39EEE5FDB200E3E8C80EC795448D8370BC671C7FABC28940A8754B0320D824B93D2FD46BDAD1C1C12A5B5CEA6989C6B25772FD1A43680A57E012F8F4B919A9FD73FC297835572912EC324DC3BF415FCC55089FD162CDBDF5196841BF5240DA2C2B0B6EA26B3253CADDCC0BECFEB07ED39F8CF766EE676A6DF9A63EB31A58AFF6E7EE05699B281020FC485AB7D077E51A5545D01ABECC6757DC5A5E24B615B65862219E53D6A3C08CFEAAD47AD556EC3C47DF46349FBAA18D4F7A65E74149110C84FEC4E725325C4CCC56E58F21B67F98F9E94CFD518F19AF965EE95C466FF3916F4AD3B3FE07EBE00118CE5338211DCF2958A7C787CF6120A6C0D4604623A82CF4A9F9C752F50F8FEE1D252817C657C93F8171636AA4A407AA4567D738A68B679E24BA38037978611A7851F3AC79D7AF61A1182715571D4E816E332903DD8F0BA528701E65B0ECA2BAA18E1FDCAED76F62D5DDED19DA9AA6BDA49FC10551382B7B08C31643DB4665BC707097FC0428BA4DA45896F940840226B4E6100F2F1F98C277B6C05CE2F47F41A4595059372B095EF37084AEC1511835CE9888644873EDD2901C4361CDF9889DE183BEB0AA5794098F659C243A8C64198716A1"
.
Completion time: 2011-03-15 18:21:52
ComboFix-quarantined-files.txt 2011-03-15 18:21
ComboFix2.txt 2011-03-14 21:05
.
Pre-Run: 42,517,245,952 bytes free
Post-Run: 41,705,693,184 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - E84269E1AE037EF49A86F4F5781EDC9E




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 6067

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

15/03/2011 18:39:00
mbam-log-2011-03-15 (18-39-00).txt

Scan type: Quick scan
Objects scanned: 170369
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello pherron

Thank you for the log.

I can see some remnants of Symantec (Norton) products on your machine. Do you still use Norton? If not, let me know and I can provide you with a removal tool.


Spybot is still showing me as infected with Click.GuestLoad Lets see if it can remove the threat from Safe Mode:


Reboot Your System in Safe Mode


Restart your computer.
As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
Use the arrow keys to select the Safe mode menu item.
Press Enter.


Once in Safe Mode, run SpyBot and allow it to attempt the removal of Click.GuestLoad if detected.

When Spybot has completed its run please boot back into Normal Mode.


Please update your Java


Click on "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
Uninstall any previous versions of Java that you find.
Reboot your computer.
Next, download the latest version of Java by clicking here (http://java.sun.com/javase/downloads/index.jsp)
Scroll down the page until you reach "Java Platform Standard Edition".
Beneath this and to the right, you will see a button marked "Download JRE".
Click the "Download JRE" button.
Select the platform (Windows, in your case), multi language.
Accept the license agreement and click on "Continue".
Scroll down and click on the file called jre-6u24-windows-i586-p.exe located under "Windows Offline Installation".
Save the file to your desktop.
Do not select Run.
Right click on the saved file (jre-6u24-windows-i586-p.exe) and select "Run as Administrator" to install the update.
Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.



Please run the following scan


Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.



Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.



Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option to "Remove Found Threats" is UN checked.
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png


Please post the ESET log in your next reply.

JonTom
I have completed steps 1 & 2.
I am now running ESET. It will clearly take some time, so I will have to leave it running over night and post the results in the morning.

The work so far has restored stability to my system. I am no longer getting blue screens and browsers load in normal time. However I still have an svchost.exe using quite a lot of CPU.

I abandoned Norton sometime ago, when I realised that it was no better than AVG and seemed to hog a lot of system resources. I would be grateful for advice on removing remnants.

Many thanks. Will post again when ESET is complete.

Hello pherron


Will post again when ESET is complete :bigthumb:

Results of ESET scan below. I don't recall downloading a keygen, I know they're not a good idea to run and VSO is a free program anyway! I will uninstall that software as per forum guidelines. Sorry about that.

We may be winning. I re-ran Spybot after ESET and it did not find Click.GiftLoad, but it did find 2 tracking cookies which I thought were related to it because it has always found them at the same time. Results pasted below ESET results.

C:\Users\Peter Herron\Downloads\MsgPlusLive-484.exe a variant of Win32/MessengerPlus application
C:\Users\Peter Herron\Downloads\Setup_FreeBurner.exe Win32/Adware.Toolbar.Dealio application
C:\Users\Peter Herron\Downloads\Setup_FreeBurnerN.exe Win32/Adware.Toolbar.Dealio application
C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen.rar a variant of Win32/Keygen.AS application
C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\Keygen\ImageResize_v4.exe a variant of Win32/Keygen.AS application



SpyBot results in normal mode:


Right Media: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-13 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-08 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-08 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-03 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-08 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-08 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Hello pherron


I don't recall downloading a keygen, I know they're not a good idea to run Thats right. They are also illegal. In order to receive further assistance at this site you must remove these items.


I will uninstall that software as per forum guidelines Please do the following:

Please download OTM



Please download OTM by OldTimer by clicking here. (http://oldtimer.geekstogo.com/OTM.exe)
Save the file (called OTM.exe) to your desktop.
Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):




:Processes
explorer.exe

:Files
C:\Users\Peter Herron\Downloads\Setup_FreeBurner.exe
C:\Users\Peter Herron\Downloads\Setup_FreeBurnerN.exe
C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen

:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Start Explorer]
[Reboot]







Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I downloaded OTM but I can't get it to run. I get a dialog box:

"OTM has stopped working
A problem caused the program to stop working correctly. Windows will close the prgram and notify you if a solution is available."

I tried it in Safe Mode also, but no joy. Please advise.

Thanks

Hello pherron


I can't get it to run Strange?

Please work through the following steps


Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad then click on "OK").

NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

Copy and Paste the text in the quotebox below into the open Notepad window:



File::
C:\Users\Peter Herron\Downloads\Setup_FreeBurner.exe
C:\Users\Peter Herron\Downloads\Setup_FreeBurnerN.exe

Folder::
C:\Users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen

SkipFix::




Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

Close any open browsers.

Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Refering to the picture below, drag CFScript.txt into ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif



When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

That worked ok. Here is the log:


ComboFix 11-03-16.01 - Peter Herron 16/03/2011 19:45:06.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1173 [GMT 0:00]
Running from: c:\users\Peter Herron\Desktop\ComboFix.exe
Command switches used :: c:\users\Peter Herron\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\users\Peter Herron\Downloads\Setup_FreeBurner.exe"
"c:\users\Peter Herron\Downloads\Setup_FreeBurnerN.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Peter Herron\Downloads\Setup_FreeBurner.exe
c:\users\Peter Herron\Downloads\Setup_FreeBurnerN.exe
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\^ Enter Here.url
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\^Just one Click to Get More Stuff.url
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\Torrent downloaded from AhaShare.com.txt
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\Torrent downloaded from Demonoid.com.txt
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\tracked_by_h33t_com.txt
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen.rar
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\^ Enter Here.url
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\^Just one Click to Get More Stuff.url
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\Keygen\ImageResize_v4.exe
c:\users\Peter Herron\Downloads\VSO Image Resizer 4.0.2.5 Multilingual Software + Keygen\VSO_Image_Resizer_4.0.2.5\vso_image_resizer4_setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 19:46 . 2011-03-16 19:46 -------- d-----w- c:\users\Peter Herron\AppData\Local\temp
2011-03-16 19:46 . 2011-03-16 19:46 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-03-16 19:46 . 2011-03-16 19:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-15 21:46 . 2011-03-15 21:46 -------- d-----w- c:\program files\ESET
2011-03-15 21:34 . 2011-03-15 21:34 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-15 21:34 . 2011-03-15 21:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-15 19:58 . 2011-02-23 09:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F907CDB6-393A-4C13-B4C8-727E2F8BF2C5}\mpengine.dll
2011-03-14 19:22 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-14 19:22 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-14 19:22 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-14 19:22 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-14 19:22 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-14 19:22 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-13 21:19 . 2011-03-13 21:20 -------- d-----w- c:\program files\ERUNT
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\SUPERAntiSpyware.com
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-13 14:57 . 2011-03-13 15:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-03-13 14:57 . 2011-03-13 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-24 09:50 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-24 09:49 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-24 09:49 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-24 09:49 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\FastStone
2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\program files\FastStone Photo Resizer
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-15 08:46 . 2007-08-03 14:53 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2011-02-02 17:11 . 2009-10-03 09:09 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 20:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 20:28 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 20:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 20:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-09 20:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 20:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-09 20:28 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 20:28 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 20:28 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 20:28 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 20:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 20:28 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 20:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 20:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 20:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 20:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 20:28 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-09 20:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 20:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 20:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 20:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 20:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 20:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 20:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 20:28 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-09 20:28 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-09 20:28 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-09 20:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 20:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 20:28 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-12 08:30 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27 . 2011-02-09 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22 . 2011-02-09 20:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22 . 2011-02-09 20:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22 . 2011-02-09 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 06:22 . 2011-02-09 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 05:25 . 2011-02-09 20:27 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48 . 2011-02-09 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47 . 2011-02-09 20:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Google Update"="c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-601883706-1770117181-183331753-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
R3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamt03.sys [2006-10-18 40848]
R3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtv.sys [2006-10-18 38280]
R3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\J River\Media Jukebox 14\JRService.exe [2010-07-15 379400]
R3 Normandy;Normandy SR2; [x]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtxp.sys [2006-10-18 47496]
R4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2006-10-11 32136]
R4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
R4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-12-19 28800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000Core.job
- c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
.
2011-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000UA.job
- c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
.
2011-03-16 c:\windows\Tasks\User_Feed_Synchronization-{3B3713E4-0FE5-41F5-864D-900F8ABFEE9A}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 19:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
.
[HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*2*2**0ÿÊlÿåen0¢0Ö0Ê0¤0Åe
0\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\SecuROM\License information*]
"datasecu"=hex:b8,0b,be,2b,d5,79,0a,da,fb,d5,94,ca,b6,20,6b,9f,04,e7,f0,86,70,
09,e7,f4,62,3d,44,ef,ca,b5,d7,4e,6e,08,c8,cf,2c,76,41,b6,7f,9c,25,23,82,91,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BA2B984156DEBACF8DE2A795030EFB725C3D79A25699CAE27E652D28EDD7DEFED6325E29F5B8FCB23E5BBBB6A88D0680143916C2D4D133769A735A65FBE2B80D1CD134301A85F73864A19EA3E1ABA512CE6AA3DE8091EA2260EDB143907AC7C3F4081CDE00201D7A4A59631739838F934A26A561B79CBE61B06A02718D9B4EABC4180701AF26AB1F3B5197C611A25E91E8B2CC4B75EFB7EF71FF5AEAFBFCA59C8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452BA7FD869164D6794DD36A2B39CE43F2A6FE0154F190DCA6E23441B435D3DAB364D0B29572871CD29B59EC8A49B07BF97FE66D553712CF7A420D951B6BA12AF43735F3CADB3F74580C87C08D6288234A89AD99397E3671AA53E8D3C6D34E1D149364277137CFD135009A4077AD930AFC5AAA13587D03C55A7FBFA222E137165EB5027A24E55AEDDC6877C2FEE2B3EC94A3D3BE4C27A7E50D20055907486D644BF9D92CAD4F4054C857A812FCBFA2F9C08FEB6921A8C54B7C392DF56F01D00CA4F229E42D5F3518F253EC079590ED746C1C6B8F19491393A8B20F48906CDAA5998027B1E31D23957AFD1DDC2948B62EAAE0B78F86CF97B8C30B98080CBF2EB540D8869B67B72B5D9255791072F7ECB2FFBE6C2E2919A3D662A1586588EC82B259423412A7B1A13D0F795A5039056663F4A9BF82FA5AB7502678999704C6F233886E36A59B07371798E787BB9CF67D8C8AD0D0EA17F4AEF9FC795646F39EEE5FDB200E3E8C80EC795448D8370BC671C7FABC28940A8754B0320D824B93D2FD46BDAD1C1C12A5B5CEA6989C6B25772FD1A43680A57E012F8F4B919A9FD73FC297835572912EC324DC3BF415FCC55089FD162CDBDF5196841BF5240DA2C2B0B6EA26B3253CADDCC0BECFEB07ED39F8CF766EE676A6DF9A63EB31A58AFF6E7EE05699B281020FC485AB7D077E51A5545D01ABECC6757DC5A5E24B615B65862219E53D6A3C08CFEAAD47AD556EC3C47DF46349FBAA18D4F7A65E74149110C84FEC4E725325C4CCC56E58F21B67F98F9E94CFD518F19AF965EE95C466FF3916F4AD3B3FE07EBE00118CE5338211DCF2958A7C787CF6120A6C0D4604623A82CF4A9F9C752F50F8FEE1D252817C657C93F8171636AA4A407AA4567D738A68B679E24BA38037978611A7851F3AC79D7AF61A1182715571D4E816E332903DD8F0BA528701E65B0ECA2BAA18E1FDCAED76F62D5DDED19DA9AA6BDA49FC10551382B7B08C31643DB4665BC707097FC0428BA4DA45896F940840226B4E6100F2F1F98C277B6C05CE2F47F41A4595059372B095EF37084AEC1511835CE9888644873EDD2901C4361CDF9889DE183BEB0AA5794098F659C243A8C64198716A1"
.
Completion time: 2011-03-16 19:49:59
ComboFix-quarantined-files.txt 2011-03-16 19:49
ComboFix2.txt 2011-03-15 18:21
ComboFix3.txt 2011-03-14 21:05
.
Pre-Run: 85,777,432,576 bytes free
Post-Run: 85,714,579,456 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 5C4FECBF1ADFE666394AF0FA40D3096A

Hello pherron

Thank you for the log.

Please work your way through the following steps:

Please download and run the Norton Removal Tool


The Norton removal tool will locate and remove all traces of Norton products from your computer.
To download the tool, click here. (http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN)
Read throught the information on the page, and then select the Norton product that you have (this is the one that will be removed).
Follow the instructions to obtain the removal tool and to complete the removal process.



Please Uninstall Combofix


Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
A Run box will open.
Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.



AVG


Re-install your AVG, update it and run a full system scan.


Please post a new set of DDS scan logs in your next reply and let me know how the machine is running now.

JonTom

Once again, thanks for your help :thanks:

Norton and ComboFix are now uninstalled. AVG is re-installed.
Running a full scan will take quite a while and I'm really tired now so I will post the DDS scan log tomorrow evening.

The machine seems to be running very well now. The system appears stable and I have not seen any browser redirects tonight. Spybot only found tracking cookies.

Hello pherron


I will post the DDS scan log tomorrow evening No problem. See you tomorrow :)

AVG found one problem in Google Chrome cache.
Spybot found tracking cookies

DDS log below + Attach.zip
Also posted logs for AVG & Spybot.

Everything seems to be back to normal.
Many thanks for your excellent help.
:thanks:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Peter Herron at 17:34:45.23 on 17/03/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1052 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\oodag.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Users\Peter Herron\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\peter herron\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flash capture\fciext.dll/FCIEXT.htm
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\peterh~1\appdata\roaming\mozilla\firefox\profiles\y6gzbwgg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-12 20328]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-20 21504]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-3-13 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-15 136176]
S3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMT03.sys [2007-5-9 40848]
S3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTV.sys [2007-5-9 38280]
S3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\j river\media jukebox 14\JRService.exe [2011-1-26 379400]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2007-5-9 47496]
S4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2007-5-9 32136]
S4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-5-9 34176]
S4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-5-9 28800]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-03-16 22:50:03 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-16 19:50:03 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-16 19:50:01 -------- d-----w- c:\users\peterh~1\appdata\local\temp
2011-03-15 21:46:28 -------- d-----w- c:\program files\ESET
2011-03-15 21:34:50 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-15 21:34:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-15 19:58:32 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f907cdb6-393a-4c13-b4c8-727e2f8bf2c5}\mpengine.dll
2011-03-14 19:22:13 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-14 19:22:12 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-14 19:22:12 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-14 19:22:12 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-14 19:22:05 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-14 19:22:05 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-13 18:02:51 -------- d-----w- c:\users\peterh~1\appdata\roaming\SUPERAntiSpyware.com
2011-03-13 18:02:51 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-13 18:02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-13 14:57:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-13 14:57:51 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-24 09:50:15 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-24 09:49:13 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-24 09:49:13 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-24 09:49:13 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-24 09:49:03 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-24 09:49:03 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-22 16:12:20 -------- d-----w- c:\users\peterh~1\appdata\roaming\FastStone
2011-02-22 16:12:09 -------- d-----w- c:\program files\FastStone Photo Resizer
.
==================== Find3M ====================
.
2011-02-15 08:46:36 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:36:21.04 ===============



AVG scan result:


"";"C:\Users\Peter Herron\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002c";"Corrupted executable file";"Moved to Virus Vault"


==============================================

SpyBot S&D scan result:

Right Media: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-13 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-15 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-16 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-15 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Hello pherron

Logs are looking good (just a few minor things to take care of).

You still appear to have BitTorrent installed. You would be doing yourself a huge favour by uninstalling it.

Please un-install J2SE Runtime Environment 5.0 Update 12


You already have the latest version of Java installed.
Outdated versions of Java have security flaws that are exploited by malware writers.
Click on "Windows Orb" then on "Computer" and then on the "Uninstall or change a program" tab.
A list of currently installed programs will be displayed.
Find the "J2SE Runtime Environment 5.0 Update 12" program, click on it once and then click on the "uninstall" button.
If you are prompted to re-boot your computer to complete the uninstall please do so.



AVG found one problem in Google Chrome cache It looks as though AVG has quarantined the offending item, so it should no longer cause you any problems.


Spybot found tracking cookies Allow Spybot to remove those cookies. If it is unable to do so, open SuperAntiSpyware, update it and run a full scan. Should there be any remaining cookie issues we can always block them manually although it is highly unlikely that they will cause any harm to your machine.

Lets remove the tools we used in cleaning your system:

You have already uninstalled ComboFix :bigthumb:


Removal of Tools


You no longer need DDS, GMER or OTM. Please delete them from your machine.



Your Adobe Reader is out of date


You can obtain the latest version of Adobe Reader from here (http://get.adobe.com/uk/reader/), and the latest version of Flash Player from here. (http://www.adobe.com/products/flashplayer/)
For more information and links to Adobe updates and downloads click here. (http://www.adobe.com/downloads/)



Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.


Finally, please take the time to read through the information provided below:

Enhance your System Security

For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)

IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.

Web Browsers and Browser Security

Firefox

Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here. (http://www.mozilla.com/en-US/firefox/)


No-Script

If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)


Internet Explorer

The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)


SpywareBlaster

If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)

Web of Trust

When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)


Keep your Software Updated

Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)


Passwords

Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)


General Reading

PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)

How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


Learn How To Combat Malware

Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)

:bow:

Thank you for all your help. It's really brilliant that people like you are so willing to give of their time. I'll work my way through all the advice. Have a good weekend (well only one more day to go).

All the best.

Thank you for all your help You are Very Welcome pherron :)

Best wishes
JonTom

Since this problem appears to be resolved this topic is now closed.

Glad we could help :)

Best wishes
JonTom