View Full Version : Machine runs very slowwwww
My computer started running very slow. I ran Spybot but it didn't find anything. Malwarebytes found a few things and removed them, but it is still running very slow. Please help me make sure that I got rid of everything.
Thanks in advance.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by Bob at 22:41:25 on 2011-11-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1182 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Documents and Settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MiMedia LLC\MiMedia\MiMedia.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
mURLSearchHooks: H - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Complitly: {d27fc31c-6e3d-4305-8d53-acdaefa5f862} - c:\documents and settings\bob\application data\complitly\Complitly.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\devices.exe" -RESTART
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\aquari~1.lnk - c:\program files\aquarius soft\pc alarm clock pro\alarm.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mimedia.lnk - c:\program files\mimedia llc\mimedia\MiMedia.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\omegar~1.lnk - c:\program files\omega research\program\orschd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 208.67.222.222 192.168.254.254
TCP: Interfaces\{1F50389D-8DEA-49E5-9593-FA09ACC3563A} : DhcpNameServer = 208.67.222.222 192.168.254.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.searchcompletion.com/?bs=1&si=10211&q=
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\NPDOC.DLL
FF - plugin: c:\program files\netscape\navigator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.insidefutures.com http://www.futuresknowledge.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-4-6 41912]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\bob\local settings\application data\crossloop\CrossLoopService.exe [2011-6-5 560880]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-13 47640]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-5-10 127496]
S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 tvnserver;TightVNC Server;c:\documents and settings\bob\local settings\application data\crossloop\tvnserver.exe [2011-6-5 814080]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-11-13 00:29:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-13 00:27:28 98816 ----a-w- c:\windows\sed.exe
2011-11-13 00:27:28 518144 ----a-w- c:\windows\SWREG.exe
2011-11-13 00:27:28 256000 ----a-w- c:\windows\PEV.exe
2011-11-13 00:27:28 208896 ----a-w- c:\windows\MBR.exe
2011-11-12 19:52:49 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-12 13:55:53 -------- d-----w- c:\program files\8A95D
2011-11-12 13:55:42 -------- d-----w- c:\documents and settings\bob\application data\w55ssQJ7dELgRqh
2011-11-12 13:55:42 -------- d-----w- c:\documents and settings\bob\application data\UCwwkUVVrlNtP0
2011-11-12 13:55:25 -------- d-----w- c:\documents and settings\bob\application data\SPPP0ycA1ivDo
2011-11-12 13:55:25 -------- d-----w- c:\documents and settings\bob\application data\A448A
2011-11-12 13:55:21 -------- d-----w- c:\documents and settings\bob\application data\w88RRZ9hYw
2011-11-12 12:49:28 -------- d-----w- c:\program files\TS Support
2011-11-12 12:49:28 -------- d-----w- c:\documents and settings\bob\application data\TS Support
2011-11-12 12:48:35 -------- d-----w- c:\documents and settings\bob\local settings\application data\TS Support
2011-11-12 12:48:35 -------- d-----w- c:\documents and settings\all users\application data\TS Support
2011-11-04 12:59:00 -------- d-----w- c:\program files\MiMedia LLC
2011-11-04 12:59:00 -------- d-----w- c:\documents and settings\all users\application data\MiMedia
2011-11-04 00:07:09 -------- d-----w- C:\Junk Non-Backup
2011-10-29 11:09:04 -------- d-----w- C:\TV Shows to DVD
2011-10-28 21:22:25 -------- d-----w- c:\documents and settings\bob\application data\DVD Flick
2011-10-28 21:22:10 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-10-28 21:22:10 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-10-28 21:22:09 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2011-10-28 21:22:09 -------- d-----w- c:\program files\DVD Flick
2011-10-28 21:00:48 -------- d-----w- c:\documents and settings\bob\application data\AnvSoft
2011-10-28 21:00:16 -------- d-----w- c:\program files\AnvSoft
.
==================== Find3M ====================
.
2011-10-19 10:21:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-05 20:06:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-05 20:06:11 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-05 20:06:09 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-05 20:06:08 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-19 15:01:27 121464 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2009-10-03 16:43:23 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
.
============= FINISH: 22:43:22.53 ===============
http://forums.spybot.info/showthread.php?t=63898
Hi
I think you missed Please do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806) (ran ComboFix though it shouldn't be used without supervision) sticky.
Post c:\ComboFix.txt contents.
Yes, you caught me. The machine was behaving so poorly, and I desperately needed to use it, so I tried Combo Fix as a last resort. It actually took several attempts. Some in Safe Mode and some in Normal Mode. MalwareBytes found another three viruses yesterday, so I think something is still going on. Thank you very much for your help.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix 11-11-12.04 - Administrator 11/12/2011 22:09:32.16.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1689 [GMT -6:00]
Running from: c:\documents and settings\Administrator.INSPIRON\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EA620A85E2A7A2E5.log
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob\g2mdlhlpx.exe
c:\program files\LP
c:\program files\LP\454A\172.tmp
c:\program files\LP\454A\175.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-12 19:52 . 2011-11-12 19:53 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-12 13:55 . 2011-11-12 14:36 -------- d-----w- c:\program files\8A95D
2011-11-12 12:49 . 2011-11-12 12:49 -------- d-----w- c:\program files\TS Support
2011-11-12 12:48 . 2011-11-12 12:48 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\TS Support
2011-11-12 12:48 . 2011-11-12 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TS Support
2011-11-04 12:59 . 2011-11-04 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MiMedia
2011-11-04 12:59 . 2011-11-04 12:59 -------- d-----w- c:\program files\MiMedia LLC
2011-11-04 00:07 . 2011-11-04 12:46 -------- d-----w- C:\Junk Non-Backup
2011-10-29 11:09 . 2011-11-04 00:10 -------- d-----w- C:\TV Shows to DVD
2011-10-28 21:22 . 2007-08-31 23:36 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-10-28 21:22 . 2003-01-26 18:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-10-28 21:22 . 2011-10-28 21:22 -------- d-----w- c:\program files\DVD Flick
2011-10-28 21:22 . 2008-08-31 18:27 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2011-10-28 21:00 . 2011-10-28 21:00 -------- d-----w- c:\program files\AnvSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 10:21 . 2011-05-19 10:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-01-13 03:20 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23 . 2011-01-07 11:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-05 20:06 . 2010-07-13 10:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-05 20:06 . 2010-07-13 10:48 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-05 20:06 . 2010-07-13 10:48 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-05 20:06 . 2010-07-13 10:48 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-04 11:21 . 2011-02-10 12:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30 . 2011-01-19 09:32 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2011-04-10 21:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-19 15:01 . 2011-08-19 15:01 121464 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2009-10-03 16:43 . 2009-10-03 16:43 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
2011-05-19 20:22 . 2009-08-20 23:58 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-07-21 20:16 . 2009-08-20 23:58 550712 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-20 23:58 . 2009-08-20 23:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-11-10 20:18 . 2011-05-07 00:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_MonitoredFolder]
@="{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}"
[HKEY_CLASSES_ROOT\CLSID\{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_SynchronizationPending]
@="{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}"
[HKEY_CLASSES_ROOT\CLSID\{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_Synchronized]
@="{69DE75F6-60E6-4E55-B416-171941A5C73E}"
[HKEY_CLASSES_ROOT\CLSID\{69DE75F6-60E6-4E55-B416-171941A5C73E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-05 16859648]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-20 2245984]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2005-02-16 221184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2011-03-27 1900864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-21 111208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MiMedia.lnk - c:\program files\MiMedia LLC\MiMedia\MiMedia.exe [2011-9-22 55696]
Omega Research Task Scheduler.lnk - c:\program files\Omega Research\Program\orschd.exe [2008-3-19 148480]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-05 20:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\NinjaTrader 7\\bin\\NinjaTrader.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5910:TCP"= 5910:TCP:vnc5910
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 3:32 AM 32592]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [4/6/2011 1:37 PM 41912]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 6:54 AM 295248]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [6/5/2011 7:49 AM 560880]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/5/2010 6:39 PM 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 11:22 AM 12856]
S2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 4:00 AM 5120]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [3/30/2011 4:17 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 4:13 PM 1553896]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/10/2009 3:26 PM 127496]
S3 tvnserver;TightVNC Server;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\tvnserver.exe [6/5/2011 7:49 AM 814080]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-13 c:\windows\Tasks\User_Feed_Synchronization-{1FF685FF-AF79-4E0B-A492-555956BF9C7C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 208.67.222.222 192.168.254.254
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.searchcompletion.com/?bs=1&si=10211&q=
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.insidefutures.com http://www.futuresknowledge.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 22:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\wkep
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,0a,01,d4,80,3d,38,45,8c,08,d6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,0a,01,d4,80,3d,38,45,8c,08,d6,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(256)
c:\windows\system32\LMIinit.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2011-11-12 22:24:18
ComboFix-quarantined-files.txt 2011-11-13 04:24
ComboFix2.txt 2011-09-30 00:13
.
Pre-Run: 10,701,320,192 bytes free
Post-Run: 10,661,699,584 bytes free
.
- - End Of File - - 253879DE25AF71D304D305AF02634DC0
Hi,
Post Malwarebytes log contents here, please.
I did 3 scans yesterday.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8166
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
11/16/2011 10:28:26 AM
mbam-log-2011-11-16 (10-28-26).txt
Scan type: Full scan (C:\|)
Objects scanned: 379058
Time elapsed: 1 hour(s), 30 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrivacyProtection) -> Value: Privacy Protection -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\all users\application data\privacy.exe (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.
c:\documents and settings\Bob\local settings\temp\16C.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.
c:\documents and settings\Bob\local settings\temp\~!#16A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8178
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/16/2011 4:45:34 PM
mbam-log-2011-11-16 (16-45-34).txt
Scan type: Full scan (C:\|)
Objects scanned: 376847
Time elapsed: 1 hour(s), 40 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Bob\local settings\temp\~!#168.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Bob\local settings\temp\~!#169.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Bob\local settings\temp\0.8538213704063087gtye.exe (Trojan.Downloader.adb) -> Quarantined and deleted successfully.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8178
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
11/16/2011 6:29:23 PM
mbam-log-2011-11-16 (18-29-23).txt
Scan type: Full scan (C:\|)
Objects scanned: 377193
Time elapsed: 1 hour(s), 38 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi,
Run ComboFix and let it update itself. Post back the log + fresh dds logs.
ComboFix 11-11-17.03 - Bob 11/17/2011 11:27:15.15.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1511 [GMT -6:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Privacy Protection.lnk
c:\documents and settings\Bob\Start Menu\Programs\AV Security 2012
c:\windows\$NtUninstallKB22685$
c:\windows\$NtUninstallKB22685$\793840843
c:\windows\CSC\d6
c:\windows\EA620A85E2A7A2E5.log
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-13 15:50 . 2011-11-13 19:08 -------- d-----w- C:\! What If Bob Dies
2011-11-13 00:29 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-12 13:55 . 2011-11-12 14:36 -------- d-----w- c:\program files\8A95D
2011-11-12 13:55 . 2011-11-12 13:55 -------- d-----w- c:\documents and settings\Bob\Application Data\UCwwkUVVrlNtP0
2011-11-12 13:55 . 2011-11-12 13:55 -------- d-----w- c:\documents and settings\Bob\Application Data\w55ssQJ7dELgRqh
2011-11-12 13:55 . 2011-11-12 14:36 -------- d-----w- c:\documents and settings\Bob\Application Data\A448A
2011-11-12 13:55 . 2011-11-12 13:55 -------- d-----w- c:\documents and settings\Bob\Application Data\SPPP0ycA1ivDo
2011-11-12 13:55 . 2011-11-12 13:55 -------- d-----w- c:\documents and settings\Bob\Application Data\w88RRZ9hYw
2011-11-12 12:49 . 2011-11-12 12:49 -------- d-----w- c:\program files\TS Support
2011-11-12 12:49 . 2011-11-12 12:49 -------- d-----w- c:\documents and settings\Bob\Application Data\TS Support
2011-11-12 12:48 . 2011-11-12 12:48 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\TS Support
2011-11-12 12:48 . 2011-11-12 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TS Support
2011-11-04 12:59 . 2011-11-04 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MiMedia
2011-11-04 12:59 . 2011-11-04 12:59 -------- d-----w- c:\program files\MiMedia LLC
2011-11-04 00:07 . 2011-11-04 12:46 -------- d-----w- C:\Junk Non-Backup
2011-10-29 11:09 . 2011-11-04 00:10 -------- d-----w- C:\TV Shows to DVD
2011-10-28 21:22 . 2011-10-30 01:08 -------- d-----w- c:\documents and settings\Bob\Application Data\DVD Flick
2011-10-28 21:22 . 2011-10-28 21:22 -------- d-----w- c:\program files\DVD Flick
2011-10-28 21:22 . 2008-08-31 18:27 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2011-10-28 21:00 . 2011-10-28 21:00 -------- d-----w- c:\documents and settings\Bob\Application Data\AnvSoft
2011-10-28 21:00 . 2011-10-28 21:00 -------- d-----w- c:\program files\AnvSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 11:44 . 2011-05-19 10:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-01-13 03:20 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23 . 2011-01-07 11:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-05 20:06 . 2010-07-13 10:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-05 20:06 . 2010-07-13 10:48 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-05 20:06 . 2010-07-13 10:48 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-05 20:06 . 2010-07-13 10:48 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-04 11:21 . 2011-02-10 12:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30 . 2011-01-19 09:32 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2011-04-10 21:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2009-10-03 16:43 . 2009-10-03 16:43 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
2011-05-19 20:22 . 2009-08-20 23:58 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-07-21 20:16 . 2009-08-20 23:58 550712 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-20 23:58 . 2009-08-20 23:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-11-10 20:18 . 2011-05-07 00:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_MonitoredFolder]
@="{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}"
[HKEY_CLASSES_ROOT\CLSID\{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_SynchronizationPending]
@="{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}"
[HKEY_CLASSES_ROOT\CLSID\{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_Synchronized]
@="{69DE75F6-60E6-4E55-B416-171941A5C73E}"
[HKEY_CLASSES_ROOT\CLSID\{69DE75F6-60E6-4E55-B416-171941A5C73E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-10-11 5389944]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26103592]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2011-07-07 9245096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-05 16859648]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-20 2245984]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2005-02-16 221184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2011-03-27 1900864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-21 111208]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
Aquarius Soft PC Alarm Clock Pro.lnk - c:\program files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe [2011-9-10 937984]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MiMedia.lnk - c:\program files\MiMedia LLC\MiMedia\MiMedia.exe [2011-9-22 55696]
Omega Research Task Scheduler.lnk - c:\program files\Omega Research\Program\orschd.exe [2008-3-19 148480]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-05 20:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\NinjaTrader 7\\bin\\NinjaTrader.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5910:TCP"= 5910:TCP:vnc5910
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 3:32 AM 32592]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [4/6/2011 1:37 PM 41912]
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 6:54 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [6/5/2011 7:49 AM 560880]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/5/2010 6:39 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 11:22 AM 12856]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 4:00 AM 5120]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 4:13 PM 1553896]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/10/2009 3:26 PM 127496]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [3/30/2011 4:17 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 tvnserver;TightVNC Server;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\tvnserver.exe [6/5/2011 7:49 AM 814080]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\User_Feed_Synchronization-{1FF685FF-AF79-4E0B-A492-555956BF9C7C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.searchcompletion.com/?bs=1&si=10211&q=
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.insidefutures.com http://www.futuresknowledge.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-17 11:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\wkep
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
c:\program files\MiMedia LLC\MiMedia\sqlite3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Skype\Phone\Skype.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
.
**************************************************************************
.
Completion time: 2011-11-17 11:50:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-17 17:50
ComboFix2.txt 2011-11-13 04:24
ComboFix3.txt 2011-09-30 00:13
.
Pre-Run: 11,401,965,568 bytes free
Post-Run: 11,458,584,576 bytes free
.
- - End Of File - - 2974B3510F27E8C8A192E873BD83E13C
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by Bob at 12:58:26 on 2011-11-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1258 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Documents and Settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\MiMedia LLC\MiMedia\MiMedia.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
mURLSearchHooks: H - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\devices.exe" -RESTART
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\aquari~1.lnk - c:\program files\aquarius soft\pc alarm clock pro\alarm.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mimedia.lnk - c:\program files\mimedia llc\mimedia\MiMedia.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\omegar~1.lnk - c:\program files\omega research\program\orschd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1F50389D-8DEA-49E5-9593-FA09ACC3563A} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.searchcompletion.com/?bs=1&si=10211&q=
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\NPDOC.DLL
FF - plugin: c:\program files\netscape\navigator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.insidefutures.com http://www.futuresknowledge.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-4-6 41912]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 295248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\bob\local settings\application data\crossloop\CrossLoopService.exe [2011-6-5 560880]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-13 47640]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-5-10 127496]
S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 tvnserver;TightVNC Server;c:\documents and settings\bob\local settings\application data\crossloop\tvnserver.exe [2011-6-5 814080]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-11-13 15:50:17 -------- d-----w- C:\! What If Bob Dies
2011-11-13 00:29:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-13 00:27:28 98816 ----a-w- c:\windows\sed.exe
2011-11-13 00:27:28 518144 ----a-w- c:\windows\SWREG.exe
2011-11-13 00:27:28 256000 ----a-w- c:\windows\PEV.exe
2011-11-13 00:27:28 208896 ----a-w- c:\windows\MBR.exe
2011-11-12 13:55:53 -------- d-----w- c:\program files\8A95D
2011-11-12 13:55:42 -------- d-----w- c:\documents and settings\bob\application data\w55ssQJ7dELgRqh
2011-11-12 13:55:42 -------- d-----w- c:\documents and settings\bob\application data\UCwwkUVVrlNtP0
2011-11-12 13:55:25 -------- d-----w- c:\documents and settings\bob\application data\SPPP0ycA1ivDo
2011-11-12 13:55:25 -------- d-----w- c:\documents and settings\bob\application data\A448A
2011-11-12 13:55:21 -------- d-----w- c:\documents and settings\bob\application data\w88RRZ9hYw
2011-11-12 12:49:28 -------- d-----w- c:\program files\TS Support
2011-11-12 12:49:28 -------- d-----w- c:\documents and settings\bob\application data\TS Support
2011-11-12 12:48:35 -------- d-----w- c:\documents and settings\bob\local settings\application data\TS Support
2011-11-12 12:48:35 -------- d-----w- c:\documents and settings\all users\application data\TS Support
2011-11-04 12:59:00 -------- d-----w- c:\program files\MiMedia LLC
2011-11-04 12:59:00 -------- d-----w- c:\documents and settings\all users\application data\MiMedia
2011-11-04 00:07:09 -------- d-----w- C:\Junk Non-Backup
2011-10-29 11:09:04 -------- d-----w- C:\TV Shows to DVD
2011-10-28 21:22:25 -------- d-----w- c:\documents and settings\bob\application data\DVD Flick
2011-10-28 21:22:10 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-10-28 21:22:10 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-10-28 21:22:09 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2011-10-28 21:22:09 -------- d-----w- c:\program files\DVD Flick
2011-10-28 21:00:48 -------- d-----w- c:\documents and settings\bob\application data\AnvSoft
2011-10-28 21:00:16 -------- d-----w- c:\program files\AnvSoft
.
==================== Find3M ====================
.
2011-11-16 11:44:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-05 20:06:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-05 20:06:11 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-05 20:06:09 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-05 20:06:08 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2009-10-03 16:43:23 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
.
============= FINISH: 12:58:40.25 ===============
Hi,
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-17 15:28:28
Windows 5.1.2600 Service Pack 3
Running: z8e5lspy.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\axryrpog.sys
---- System - GMER 1.0.15 ----
SSDT speb.sys ZwCreateKey [0xB7EB50E0]
SSDT speb.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT speb.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT speb.sys ZwOpenKey [0xB7EB50C0]
SSDT speb.sys ZwQueryKey [0xB7ECE20A]
SSDT speb.sys ZwQueryValueKey [0xB7ECE08A]
SSDT speb.sys ZwSetValueKey [0xB7ECE29C]
INT 0x73 ? 8AB12BF8
INT 0x73 ? 8AB12BF8
INT 0x73 ? 8AB12BF8
INT 0x73 ? 8AB12BF8
INT 0x73 ? 8AAA1BF8
INT 0x73 ? 8AAA1BF8
INT 0x73 ? 8AB12BF8
INT 0x94 ? 8AAA1BF8
INT 0xA4 ? 8AAA1BF8
INT 0xB4 ? 8AAA1BF8
---- Kernel code sections - GMER 1.0.15 ----
? speb.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB661F3A0, 0x88C445, 0xE8000020]
.text USBPORT.SYS!DllUnload B65BE8AC 5 Bytes JMP 8AAA11D8
.text aoj5nz7h.SYS B634F386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aoj5nz7h.SYS B634F3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aoj5nz7h.SYS B634F3C4 3 Bytes [00, 80, 02]
.text aoj5nz7h.SYS B634F3C9 1 Byte [30]
.text aoj5nz7h.SYS B634F3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Bob\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] speb.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] speb.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] speb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] speb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] speb.sys
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\aoj5nz7h.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AAA01F8
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-0 8A4B11F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AAA21F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AAA21F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AAA21F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AAA21F8
Device \Driver\usbuhci \Device\USBPDO-1 8A4B11F8
Device \Driver\PCI_PNP1316 \Device\00000052 speb.sys
Device \Driver\usbuhci \Device\USBPDO-2 8A4B11F8
Device \Driver\usbehci \Device\USBPDO-3 8A4B2500
Device \Driver\usbehci \Device\USBPDO-4 8A4B2500
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 8A4B11F8
Device \Driver\usbuhci \Device\USBPDO-6 8A4B11F8
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device 8AB131F8
AttachedDevice symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\usbuhci \Device\USBPDO-7 8A4B11F8
Device \Driver\Cdrom \Device\CdRom0 8A486500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8A486500
Device \Driver\Cdrom \Device\CdRom2 8A486500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89A6F1F8
Device \Driver\sptd \Device\3912411316 speb.sys
Device \Driver\NetBT \Device\NetbiosSmb 89A6F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1F50389D-8DEA-49E5-9593-FA09ACC3563A} 89A6F1F8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 8A4B11F8
Device \Driver\usbuhci \Device\USBFDO-1 8A4B11F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89A5D1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A4B11F8
Device 89A5D1F8
Device \Driver\usbehci \Device\USBFDO-3 8A4B2500
Device \Driver\usbuhci \Device\USBFDO-4 8A4B11F8
Device \Driver\Ftdisk \Device\FtControl 8AB131F8
Device \Driver\usbuhci \Device\USBFDO-5 8A4B11F8
Device \Driver\usbuhci \Device\USBFDO-6 8A4B11F8
Device \Driver\usbehci \Device\USBFDO-7 8A4B2500
Device \Driver\aoj5nz7h \Device\Scsi\aoj5nz7h1Port4Path0Target0Lun0 8A3AF500
Device \Driver\aoj5nz7h \Device\Scsi\aoj5nz7h1 8A3AF500
Device \Driver\aoj5nz7h \Device\Scsi\aoj5nz7h1Port4Path0Target1Lun0 8A3AF500
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device 89039500
Device AF465297
Device \FileSystem\Cdfs \Cdfs 8A0F93B8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x54 0x55 0x2F 0x27 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7D 0xF3 0x29 0x5D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x07 0x1E 0x7E 0x11 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2B 0x58 0x6B 0xDB ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFE 0xC7 0xB7 0xD1 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7D 0x2C 0xA8 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1921846974
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1918445637
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0x79 0xE3 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x95 0xDE 0xDC 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0x73 0x64 0xC5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x45 0xEE 0x6C 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2B 0x58 0x6B 0xDB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFE 0xC7 0xB7 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7D 0x2C 0xA8 0x1A ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7B 0xDA 0xDE 0x3A ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x95 0xDE 0xDC 0x4E ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0x73 0x64 0xC5 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x45 0xEE 0x6C 0x16 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2B 0x58 0x6B 0xDB ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFE 0xC7 0xB7 0xD1 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7D 0x2C 0xA8 0x1A ...
---- EOF - GMER 1.0.15 ----
Hi,
1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)
11:54:11.0453 5144 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
11:54:12.0000 5144 ============================================================
11:54:12.0000 5144 Current date / time: 2011/11/18 11:54:12.0000
11:54:12.0000 5144 SystemInfo:
11:54:12.0000 5144
11:54:12.0000 5144 OS Version: 5.1.2600 ServicePack: 3.0
11:54:12.0000 5144 Product type: Workstation
11:54:12.0000 5144 ComputerName: INSPIRON
11:54:12.0000 5144 UserName: Bob
11:54:12.0000 5144 Windows directory: C:\WINDOWS
11:54:12.0000 5144 System windows directory: C:\WINDOWS
11:54:12.0000 5144 Processor architecture: Intel x86
11:54:12.0000 5144 Number of processors: 2
11:54:12.0000 5144 Page size: 0x1000
11:54:12.0000 5144 Boot type: Normal boot
11:54:12.0000 5144 ============================================================
11:54:13.0843 5144 Initialize success
11:54:36.0296 1204 ============================================================
11:54:36.0296 1204 Scan started
11:54:36.0296 1204 Mode: Manual;
11:54:36.0296 1204 ============================================================
11:54:38.0171 1204 Abiosdsk - ok
11:54:38.0187 1204 abp480n5 - ok
11:54:38.0250 1204 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:54:38.0250 1204 ACPI - ok
11:54:38.0296 1204 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:54:38.0312 1204 ACPIEC - ok
11:54:38.0312 1204 adpu160m - ok
11:54:38.0390 1204 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:54:38.0390 1204 aec - ok
11:54:38.0437 1204 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:54:38.0437 1204 AFD - ok
11:54:38.0453 1204 Aha154x - ok
11:54:38.0453 1204 aic78u2 - ok
11:54:38.0468 1204 aic78xx - ok
11:54:38.0484 1204 AliIde - ok
11:54:38.0484 1204 amsint - ok
11:54:38.0546 1204 AnyDVD (64f24088dbb1d68ee9963f66f8eb68cf) C:\WINDOWS\system32\Drivers\AnyDVD.sys
11:54:38.0546 1204 AnyDVD - ok
11:54:38.0562 1204 asc - ok
11:54:38.0578 1204 asc3350p - ok
11:54:38.0578 1204 asc3550 - ok
11:54:38.0609 1204 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:54:38.0609 1204 AsyncMac - ok
11:54:38.0687 1204 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:54:38.0687 1204 atapi - ok
11:54:38.0703 1204 Atdisk - ok
11:54:38.0718 1204 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:54:38.0718 1204 Atmarpc - ok
11:54:38.0781 1204 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:54:38.0781 1204 audstub - ok
11:54:38.0781 1204 AVG Anti-Rootkit - ok
11:54:38.0796 1204 AvgArCln - ok
11:54:38.0843 1204 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
11:54:38.0843 1204 AVGIDSDriver - ok
11:54:38.0859 1204 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
11:54:38.0859 1204 AVGIDSEH - ok
11:54:38.0875 1204 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
11:54:38.0890 1204 AVGIDSFilter - ok
11:54:38.0937 1204 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
11:54:38.0937 1204 AVGIDSShim - ok
11:54:38.0984 1204 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
11:54:39.0000 1204 Avgldx86 - ok
11:54:39.0015 1204 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
11:54:39.0015 1204 Avgmfx86 - ok
11:54:39.0125 1204 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
11:54:39.0125 1204 Avgrkx86 - ok
11:54:39.0171 1204 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
11:54:39.0171 1204 Avgtdix - ok
11:54:39.0218 1204 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:54:39.0218 1204 Beep - ok
11:54:39.0234 1204 catchme - ok
11:54:39.0281 1204 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:54:39.0281 1204 cbidf2k - ok
11:54:39.0328 1204 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
11:54:39.0328 1204 CCDECODE - ok
11:54:39.0343 1204 cd20xrnt - ok
11:54:39.0406 1204 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:54:39.0406 1204 Cdaudio - ok
11:54:39.0468 1204 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:54:39.0468 1204 Cdfs - ok
11:54:39.0515 1204 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:54:39.0515 1204 Cdrom - ok
11:54:39.0593 1204 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
11:54:39.0593 1204 cercsr6 - ok
11:54:39.0625 1204 Changer - ok
11:54:39.0640 1204 CmdIde - ok
11:54:39.0656 1204 Cpqarray - ok
11:54:39.0796 1204 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
11:54:39.0796 1204 cpudrv - ok
11:54:39.0812 1204 dac2w2k - ok
11:54:39.0812 1204 dac960nt - ok
11:54:39.0828 1204 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:54:39.0828 1204 Disk - ok
11:54:39.0890 1204 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:54:39.0906 1204 dmboot - ok
11:54:39.0953 1204 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
11:54:39.0953 1204 dmio - ok
11:54:40.0000 1204 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:54:40.0000 1204 dmload - ok
11:54:40.0015 1204 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:54:40.0015 1204 DMusic - ok
11:54:40.0062 1204 dpti2o - ok
11:54:40.0093 1204 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:54:40.0093 1204 drmkaud - ok
11:54:40.0156 1204 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:54:40.0156 1204 e1express - ok
11:54:40.0218 1204 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
11:54:40.0218 1204 ElbyCDFL - ok
11:54:40.0265 1204 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
11:54:40.0265 1204 ElbyCDIO - ok
11:54:40.0390 1204 EverestDriver (76984d46b2abaa46f8b3fcef82c9217d) C:\Program Files\Lavalys\EVEREST Home Edition\kerneld.wnt
11:54:40.0390 1204 EverestDriver - ok
11:54:40.0453 1204 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:54:40.0453 1204 Fastfat - ok
11:54:40.0500 1204 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:54:40.0500 1204 Fdc - ok
11:54:40.0546 1204 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:54:40.0562 1204 Fips - ok
11:54:40.0578 1204 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
11:54:40.0578 1204 Flpydisk - ok
11:54:40.0625 1204 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
11:54:40.0640 1204 FltMgr - ok
11:54:40.0687 1204 FSProFilter (3528c9ec493ca524a877d217c7d51600) C:\WINDOWS\system32\Drivers\FSPFltd.sys
11:54:40.0687 1204 FSProFilter - ok
11:54:40.0703 1204 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:54:40.0703 1204 Fs_Rec - ok
11:54:40.0734 1204 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:54:40.0734 1204 Ftdisk - ok
11:54:40.0781 1204 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
11:54:40.0781 1204 GEARAspiWDM - ok
11:54:40.0859 1204 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:54:40.0859 1204 Gpc - ok
11:54:40.0968 1204 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:54:40.0968 1204 HDAudBus - ok
11:54:41.0031 1204 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:54:41.0031 1204 hidusb - ok
11:54:41.0031 1204 hpn - ok
11:54:41.0078 1204 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
11:54:41.0078 1204 HSFHWBS2 - ok
11:54:41.0125 1204 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
11:54:41.0140 1204 HSF_DP - ok
11:54:41.0203 1204 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:54:41.0203 1204 HTTP - ok
11:54:41.0218 1204 i2omgmt - ok
11:54:41.0234 1204 i2omp - ok
11:54:41.0281 1204 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
11:54:41.0296 1204 i8042prt - ok
11:54:41.0500 1204 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
11:54:41.0562 1204 ialm - ok
11:54:41.0687 1204 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:54:41.0687 1204 Imapi - ok
11:54:41.0703 1204 ini910u - ok
11:54:41.0828 1204 IntcAzAudAddService (f7f3328544e1ac2e97caea9b39d9b9de) C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:54:41.0890 1204 IntcAzAudAddService - ok
11:54:41.0906 1204 IntelIde - ok
11:54:41.0968 1204 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:54:41.0968 1204 intelppm - ok
11:54:42.0031 1204 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
11:54:42.0031 1204 Ip6Fw - ok
11:54:42.0109 1204 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:54:42.0109 1204 IpFilterDriver - ok
11:54:42.0140 1204 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:54:42.0140 1204 IpInIp - ok
11:54:42.0171 1204 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:54:42.0171 1204 IpNat - ok
11:54:42.0218 1204 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:54:42.0234 1204 IPSec - ok
11:54:42.0250 1204 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:54:42.0250 1204 IRENUM - ok
11:54:42.0265 1204 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:54:42.0265 1204 isapnp - ok
11:54:42.0296 1204 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:54:42.0296 1204 Kbdclass - ok
11:54:42.0312 1204 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:54:42.0312 1204 kbdhid - ok
11:54:42.0375 1204 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:54:42.0390 1204 kmixer - ok
11:54:42.0406 1204 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:54:42.0406 1204 KSecDD - ok
11:54:42.0468 1204 Lbd - ok
11:54:42.0468 1204 lbrtfdc - ok
11:54:42.0609 1204 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
11:54:42.0609 1204 LMIInfo - ok
11:54:42.0656 1204 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
11:54:42.0656 1204 lmimirr - ok
11:54:42.0656 1204 LMIRfsClientNP - ok
11:54:42.0671 1204 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
11:54:42.0671 1204 LMIRfsDriver - ok
11:54:42.0734 1204 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
11:54:42.0734 1204 mdmxsdk - ok
11:54:42.0750 1204 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:54:42.0750 1204 mnmdd - ok
11:54:42.0796 1204 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:54:42.0796 1204 Modem - ok
11:54:42.0828 1204 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
11:54:42.0828 1204 MODEMCSA - ok
11:54:42.0859 1204 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:54:42.0875 1204 Mouclass - ok
11:54:42.0921 1204 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:54:42.0921 1204 mouhid - ok
11:54:42.0953 1204 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:54:42.0953 1204 MountMgr - ok
11:54:42.0953 1204 mraid35x - ok
11:54:42.0968 1204 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:54:42.0968 1204 MRxDAV - ok
11:54:43.0031 1204 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:54:43.0031 1204 MRxSmb - ok
11:54:43.0062 1204 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:54:43.0062 1204 Msfs - ok
11:54:43.0078 1204 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:54:43.0078 1204 MSKSSRV - ok
11:54:43.0093 1204 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:54:43.0093 1204 MSPCLOCK - ok
11:54:43.0125 1204 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:54:43.0125 1204 MSPQM - ok
11:54:43.0140 1204 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:54:43.0156 1204 mssmbios - ok
11:54:43.0203 1204 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
11:54:43.0203 1204 MSTEE - ok
11:54:43.0250 1204 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:54:43.0250 1204 Mup - ok
11:54:43.0296 1204 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
11:54:43.0296 1204 NABTSFEC - ok
11:54:43.0359 1204 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:54:43.0359 1204 NDIS - ok
11:54:43.0375 1204 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
11:54:43.0375 1204 NdisIP - ok
11:54:43.0421 1204 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:54:43.0421 1204 NdisTapi - ok
11:54:43.0437 1204 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:54:43.0437 1204 Ndisuio - ok
11:54:43.0453 1204 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:54:43.0468 1204 NdisWan - ok
11:54:43.0531 1204 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:54:43.0531 1204 NDProxy - ok
11:54:43.0562 1204 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:54:43.0562 1204 NetBIOS - ok
11:54:43.0593 1204 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:54:43.0609 1204 NetBT - ok
11:54:43.0625 1204 NLNdisMP - ok
11:54:43.0625 1204 NLNdisPT - ok
11:54:43.0640 1204 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:54:43.0640 1204 Npfs - ok
11:54:43.0671 1204 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:54:43.0687 1204 Ntfs - ok
11:54:43.0718 1204 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:54:43.0718 1204 Null - ok
11:54:44.0062 1204 nv (8b2c874897ea498da012284e12f9db2b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:54:44.0390 1204 nv - ok
11:54:44.0515 1204 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:54:44.0515 1204 NwlnkFlt - ok
11:54:44.0531 1204 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:54:44.0531 1204 NwlnkFwd - ok
11:54:44.0593 1204 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
11:54:44.0593 1204 Parport - ok
11:54:44.0609 1204 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:54:44.0609 1204 PartMgr - ok
11:54:44.0656 1204 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:54:44.0656 1204 ParVdm - ok
11:54:44.0671 1204 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:54:44.0671 1204 PCI - ok
11:54:44.0687 1204 PCIDump - ok
11:54:44.0703 1204 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:54:44.0703 1204 PCIIde - ok
11:54:44.0734 1204 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:54:44.0734 1204 Pcmcia - ok
11:54:44.0734 1204 PDCOMP - ok
11:54:44.0750 1204 PDFRAME - ok
11:54:44.0765 1204 PDRELI - ok
11:54:44.0765 1204 PDRFRAME - ok
11:54:44.0781 1204 perc2 - ok
11:54:44.0796 1204 perc2hib - ok
11:54:44.0843 1204 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
11:54:44.0843 1204 pfc - ok
11:54:44.0906 1204 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:54:44.0906 1204 PptpMiniport - ok
11:54:44.0921 1204 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:54:44.0921 1204 PSched - ok
11:54:44.0953 1204 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:54:44.0953 1204 Ptilink - ok
11:54:45.0000 1204 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:54:45.0000 1204 PxHelp20 - ok
11:54:45.0015 1204 ql1080 - ok
11:54:45.0031 1204 Ql10wnt - ok
11:54:45.0031 1204 ql12160 - ok
11:54:45.0046 1204 ql1240 - ok
11:54:45.0046 1204 ql1280 - ok
11:54:45.0078 1204 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:54:45.0078 1204 RasAcd - ok
11:54:45.0140 1204 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:54:45.0140 1204 Rasl2tp - ok
11:54:45.0140 1204 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:54:45.0156 1204 RasPppoe - ok
11:54:45.0156 1204 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:54:45.0156 1204 Raspti - ok
11:54:45.0187 1204 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:54:45.0187 1204 Rdbss - ok
11:54:45.0203 1204 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:54:45.0203 1204 RDPCDD - ok
11:54:45.0218 1204 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:54:45.0218 1204 rdpdr - ok
11:54:45.0265 1204 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:54:45.0281 1204 RDPWD - ok
11:54:45.0328 1204 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:54:45.0328 1204 redbook - ok
11:54:45.0375 1204 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:54:45.0375 1204 Secdrv - ok
11:54:45.0421 1204 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
11:54:45.0437 1204 Serial - ok
11:54:45.0500 1204 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:54:45.0500 1204 Sfloppy - ok
11:54:45.0515 1204 Simbad - ok
11:54:45.0562 1204 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
11:54:45.0562 1204 SLIP - ok
11:54:45.0609 1204 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
11:54:45.0609 1204 sonypvs1 - ok
11:54:45.0625 1204 Sparrow - ok
11:54:45.0656 1204 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:54:45.0671 1204 splitter - ok
11:54:45.0734 1204 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys
11:54:45.0734 1204 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
11:54:45.0734 1204 sptd ( LockedFile.Multi.Generic ) - warning
11:54:45.0734 1204 sptd - detected LockedFile.Multi.Generic (1)
11:54:45.0796 1204 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:54:45.0796 1204 sr - ok
11:54:45.0859 1204 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:54:45.0859 1204 Srv - ok
11:54:45.0906 1204 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
11:54:45.0906 1204 streamip - ok
11:54:45.0921 1204 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:54:45.0921 1204 swenum - ok
11:54:45.0984 1204 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:54:45.0984 1204 swmidi - ok
11:54:46.0000 1204 symc810 - ok
11:54:46.0015 1204 symc8xx - ok
11:54:46.0062 1204 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
11:54:46.0062 1204 symsnap - ok
11:54:46.0109 1204 sym_hi - ok
11:54:46.0140 1204 sym_u3 - ok
11:54:46.0171 1204 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:54:46.0187 1204 sysaudio - ok
11:54:46.0234 1204 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:54:46.0250 1204 Tcpip - ok
11:54:46.0296 1204 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:54:46.0296 1204 TDPIPE - ok
11:54:46.0328 1204 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:54:46.0328 1204 TDTCP - ok
11:54:46.0375 1204 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:54:46.0375 1204 TermDD - ok
11:54:46.0390 1204 TosIde - ok
11:54:46.0437 1204 TotRec7 (9f5eeba83c88eb747b831b6eeadc2442) C:\WINDOWS\system32\drivers\TotRec7.sys
11:54:46.0453 1204 TotRec7 - ok
11:54:46.0500 1204 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
11:54:46.0500 1204 TVICHW32 - ok
11:54:46.0609 1204 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:54:46.0625 1204 Udfs - ok
11:54:46.0625 1204 ultra - ok
11:54:46.0671 1204 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:54:46.0687 1204 Update - ok
11:54:46.0734 1204 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
11:54:46.0734 1204 usbaudio - ok
11:54:46.0781 1204 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:54:46.0781 1204 usbccgp - ok
11:54:46.0796 1204 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:54:46.0796 1204 usbehci - ok
11:54:46.0812 1204 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:54:46.0812 1204 usbhub - ok
11:54:46.0828 1204 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:54:46.0828 1204 usbprint - ok
11:54:46.0843 1204 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:54:46.0843 1204 usbscan - ok
11:54:46.0859 1204 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:54:46.0859 1204 USBSTOR - ok
11:54:46.0890 1204 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:54:46.0890 1204 usbuhci - ok
11:54:46.0921 1204 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
11:54:46.0921 1204 v2imount - ok
11:54:46.0953 1204 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:54:46.0953 1204 VgaSave - ok
11:54:47.0015 1204 ViaIde - ok
11:54:47.0078 1204 vncdrv (4ec979b157d1aa075330362acb5424e5) C:\WINDOWS\system32\DRIVERS\vncdrv.sys
11:54:47.0078 1204 vncdrv - ok
11:54:47.0109 1204 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:54:47.0109 1204 VolSnap - ok
11:54:47.0109 1204 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
11:54:47.0109 1204 VProEventMonitor - ok
11:54:47.0125 1204 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:54:47.0140 1204 Wanarp - ok
11:54:47.0140 1204 WDICA - ok
11:54:47.0156 1204 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:54:47.0171 1204 wdmaud - ok
11:54:47.0203 1204 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
11:54:47.0203 1204 WimFltr - ok
11:54:47.0250 1204 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
11:54:47.0265 1204 winachsf - ok
11:54:47.0328 1204 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:54:47.0328 1204 WS2IFSL - ok
11:54:47.0390 1204 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
11:54:47.0390 1204 WSTCODEC - ok
11:54:47.0453 1204 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:54:47.0453 1204 WudfPf - ok
11:54:47.0531 1204 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:54:47.0531 1204 WudfRd - ok
11:54:47.0562 1204 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:54:47.0687 1204 \Device\Harddisk0\DR0 - ok
11:54:47.0687 1204 Boot (0x1200) (b9bb250aae6ac73996e62a937021a160) \Device\Harddisk0\DR0\Partition0
11:54:47.0687 1204 \Device\Harddisk0\DR0\Partition0 - ok
11:54:47.0687 1204 ============================================================
11:54:47.0687 1204 Scan finished
11:54:47.0687 1204 ============================================================
11:54:47.0703 5744 Detected object count: 1
11:54:47.0703 5744 Actual detected object count: 1
11:55:25.0734 5744 sptd ( LockedFile.Multi.Generic ) - skipped by user
11:55:25.0734 5744 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\program files\8A95D
c:\documents and settings\Bob\Application Data\UCwwkUVVrlNtP0
c:\documents and settings\Bob\Application Data\w55ssQJ7dELgRqh
c:\documents and settings\Bob\Application Data\A448A
c:\documents and settings\Bob\Application Data\SPPP0ycA1ivDo
c:\documents and settings\Bob\Application Data\w88RRZ9hYw
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.
10.1.1 update for Adobe Reader here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 7 Update 1 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u1-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
All of the infected files listed as a result of the Eset scan below (except for the last one) are the result of a file infection a few months back on a web site that I maintain. The files on the web site were immediately fixed. I kept the infected files for archive purposes, but I suppose that I don't really need them anymore.
Thank you very much for all your help.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\bkt3295B_hacked.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\index.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\!TT_Futures_test.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\conttp.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\count.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\course.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\coursel.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\courseo.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\CoursePass.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\courserr.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\courset.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\coursetr.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\coursetr_breakout.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\course_old1.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\course_order.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\course_td.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\course_thanx.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\CreditCardProc.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\index.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\keyreg.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\keyreg_old1.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\order.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\order_old1.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\order_old10.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\order_old12.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\order_old2.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\order_old3.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\QuizTD.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\rrthanks.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\Test0.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\Test0A.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\Test0B.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\Test0C.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test1.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test2.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test3.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test4.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test5.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test6.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test7.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test8.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\test8_old1.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\Testimny.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\testimny.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\testimny_old7.shtml JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\thanx.html JS/Kryptik.CK trojan
C:\! Pattern Trapper\Hack Incident 9_12_11\Hacked Files\coursetitlept\trthanks.html JS/Kryptik.CK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir a variant of Win32/Rootkit.Kryptik.FE trojan
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ComboFix 11-11-18.02 - Bob 11/18/2011 16:11:30.16.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1201 [GMT -6:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bob\Application Data\A448A
c:\documents and settings\Bob\Application Data\A448A\A95D.448
c:\documents and settings\Bob\Application Data\SPPP0ycA1ivDo
c:\documents and settings\Bob\Application Data\UCwwkUVVrlNtP0
c:\documents and settings\Bob\Application Data\UCwwkUVVrlNtP0\AV Security 2012.ico
c:\documents and settings\Bob\Application Data\w55ssQJ7dELgRqh
c:\documents and settings\Bob\Application Data\w88RRZ9hYw
c:\program files\8A95D
.
.
((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
.
.
2011-11-18 17:53 . 2011-11-18 17:53 -------- d-----w- C:\tdsskiller
2011-11-13 15:50 . 2011-11-13 19:08 -------- d-----w- C:\! What If Bob Dies
2011-11-13 00:29 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-12 12:49 . 2011-11-12 12:49 -------- d-----w- c:\program files\TS Support
2011-11-12 12:49 . 2011-11-12 12:49 -------- d-----w- c:\documents and settings\Bob\Application Data\TS Support
2011-11-12 12:48 . 2011-11-12 12:48 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\TS Support
2011-11-12 12:48 . 2011-11-12 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\TS Support
2011-11-04 12:59 . 2011-11-04 13:52 -------- d-----w- c:\documents and settings\All Users\Application Data\MiMedia
2011-11-04 12:59 . 2011-11-04 12:59 -------- d-----w- c:\program files\MiMedia LLC
2011-11-04 00:07 . 2011-11-04 12:46 -------- d-----w- C:\Junk Non-Backup
2011-10-29 11:09 . 2011-11-18 22:02 -------- d-----w- C:\TV Shows to DVD
2011-10-28 21:22 . 2011-11-18 22:04 -------- d-----w- c:\documents and settings\Bob\Application Data\DVD Flick
2011-10-28 21:22 . 2007-08-31 23:36 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-10-28 21:22 . 2003-01-26 18:41 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-10-28 21:22 . 2011-10-28 21:22 -------- d-----w- c:\program files\DVD Flick
2011-10-28 21:22 . 2008-08-31 18:27 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2011-10-28 21:00 . 2011-10-28 21:00 -------- d-----w- c:\documents and settings\Bob\Application Data\AnvSoft
2011-10-28 21:00 . 2011-10-28 21:00 -------- d-----w- c:\program files\AnvSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 11:44 . 2011-05-19 10:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2008-01-13 03:20 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23 . 2011-01-07 11:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-05 20:06 . 2010-07-13 10:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-05 20:06 . 2010-07-13 10:48 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-10-05 20:06 . 2010-07-13 10:48 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-05 20:06 . 2010-07-13 10:48 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-04 11:21 . 2011-02-10 12:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30 . 2011-01-19 09:32 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2011-04-10 21:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2009-10-03 16:43 . 2009-10-03 16:43 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
2011-05-19 20:22 . 2009-08-20 23:58 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2011-07-21 20:16 . 2009-08-20 23:58 550712 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-08-20 23:58 . 2009-08-20 23:58 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-11-10 20:18 . 2011-05-07 00:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-17_17.41.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-18 11:15 . 2011-11-18 11:15 16384 c:\windows\temp\Perflib_Perfdata_c4c.dat
+ 2011-11-18 11:16 . 2011-11-18 11:16 16384 c:\windows\temp\Perflib_Perfdata_6d4.dat
+ 2011-11-18 11:14 . 2011-11-18 11:14 16384 c:\windows\temp\Perflib_Perfdata_264.dat
+ 2011-11-18 11:15 . 2011-11-18 11:15 348160 c:\windows\ERDNT\AutoBackup\11-18-2011\Users\00000002\UsrClass.dat
+ 2011-11-18 11:15 . 2005-10-20 17:02 163328 c:\windows\ERDNT\AutoBackup\11-18-2011\ERDNT.EXE
+ 2011-11-18 11:15 . 2011-11-18 11:15 12124160 c:\windows\ERDNT\AutoBackup\11-18-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_MonitoredFolder]
@="{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}"
[HKEY_CLASSES_ROOT\CLSID\{C00213B1-77A8-4F0E-B740-0B36FBF7FAE7}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_SynchronizationPending]
@="{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}"
[HKEY_CLASSES_ROOT\CLSID\{FAD5EA38-2D1D-485D-9B07-D35EB72B922E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_MiMediaFiles_Synchronized]
@="{69DE75F6-60E6-4E55-B416-171941A5C73E}"
[HKEY_CLASSES_ROOT\CLSID\{69DE75F6-60E6-4E55-B416-171941A5C73E}]
2011-09-22 21:20 930704 ----a-w- c:\program files\MiMedia LLC\MiMedia\MiMedia_ShellExtensions.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2011-10-11 5389944]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26103592]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2011-07-07 9245096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-05 16859648]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-20 2245984]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2005-02-16 221184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2011-03-27 1900864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-05-21 111208]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
Aquarius Soft PC Alarm Clock Pro.lnk - c:\program files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe [2011-9-10 937984]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MiMedia.lnk - c:\program files\MiMedia LLC\MiMedia\MiMedia.exe [2011-9-22 55696]
Omega Research Task Scheduler.lnk - c:\program files\Omega Research\Program\orschd.exe [2008-3-19 148480]
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-10-05 20:06 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\NinjaTrader 7\\bin\\NinjaTrader.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"5910:TCP"= 5910:TCP:vnc5910
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/19/2011 3:32 AM 32592]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [4/6/2011 1:37 PM 41912]
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/10/2011 6:54 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/5/2010 6:39 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 11:22 AM 12856]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [8/4/2004 4:00 AM 5120]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 4:13 PM 1553896]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [5/10/2009 3:26 PM 127496]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [6/5/2011 7:49 AM 560880]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 5:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [3/30/2011 4:17 PM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 16720]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [8/18/2005 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys --> c:\windows\system32\DRIVERS\nlndis.sys [?]
S3 tvnserver;TightVNC Server;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\tvnserver.exe [6/5/2011 7:49 AM 814080]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 72063757
*Deregistered* - 72063757
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\User_Feed_Synchronization-{1FF685FF-AF79-4E0B-A492-555956BF9C7C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\program files\Common Files\Microsoft Shared\Stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.searchcompletion.com/?bs=1&si=10211&q=
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.insidefutures.com http://www.futuresknowledge.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-18 16:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-11-18 16:22:23
ComboFix-quarantined-files.txt 2011-11-18 22:22
ComboFix2.txt 2011-11-17 17:50
ComboFix3.txt 2011-11-13 04:24
ComboFix4.txt 2011-09-30 00:13
.
Pre-Run: 12,756,652,032 bytes free
Post-Run: 12,739,342,336 bytes free
.
- - End Of File - - 3081584B49380AC686F5D5E2F1A51160
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bob at 18:25:04 on 2011-11-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.973 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Documents and Settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\MiMedia LLC\MiMedia\MiMedia.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Aquarius Soft\PC Alarm Clock Pro\alarm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uLocal Page = c:\program files\common files\microsoft shared\stationery\Blank.htm
uStart Page = hxxp://twitter.com/
uDefault_Search_URL = hxxp://search.searchcompletion.com/?si=10211&home=1
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10591&gct=&gc=1&q=%s
mURLSearchHooks: H - No File
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\devices.exe" -RESTART
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\aquari~1.lnk - c:\program files\aquarius soft\pc alarm clock pro\alarm.exe
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mimedia.lnk - c:\program files\mimedia llc\mimedia\MiMedia.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\omegar~1.lnk - c:\program files\omega research\program\orschd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1F50389D-8DEA-49E5-9593-FA09ACC3563A} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\
FF - prefs.js: browser.search.selectedEngine - Complitly
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.searchcompletion.com/?bs=1&si=10211&q=
FF - plugin: c:\documents and settings\bob\application data\mozilla\firefox\profiles\vw9a9lod.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\NPDOC.DLL
FF - plugin: c:\program files\netscape\navigator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\navigator\program\plugins\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.insidefutures.com http://www.futuresknowledge.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-4-6 41912]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 295248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\bob\local settings\application data\crossloop\CrossLoopService.exe [2011-6-5 560880]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-13 47640]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 5120]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-5-10 127496]
S0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys --> c:\windows\system32\drivers\avgarkt.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\avgarcln.sys --> c:\windows\system32\drivers\AvgArCln.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest home edition\kerneld.wnt [2005-8-18 7168]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\drivers\nlndis.sys --> c:\windows\system32\drivers\nlndis.sys [?]
S3 tvnserver;TightVNC Server;c:\documents and settings\bob\local settings\application data\crossloop\tvnserver.exe [2011-6-5 814080]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-11-18 22:31:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 17:53:23 -------- d-----w- C:\tdsskiller
2011-11-13 15:50:17 -------- d-----w- C:\! What If Bob Dies
2011-11-13 00:29:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-13 00:27:28 98816 ----a-w- c:\windows\sed.exe
2011-11-13 00:27:28 518144 ----a-w- c:\windows\SWREG.exe
2011-11-13 00:27:28 256000 ----a-w- c:\windows\PEV.exe
2011-11-13 00:27:28 208896 ----a-w- c:\windows\MBR.exe
2011-11-12 12:49:28 -------- d-----w- c:\program files\TS Support
2011-11-12 12:49:28 -------- d-----w- c:\documents and settings\bob\application data\TS Support
2011-11-12 12:48:35 -------- d-----w- c:\documents and settings\bob\local settings\application data\TS Support
2011-11-12 12:48:35 -------- d-----w- c:\documents and settings\all users\application data\TS Support
2011-11-04 12:59:00 -------- d-----w- c:\program files\MiMedia LLC
2011-11-04 12:59:00 -------- d-----w- c:\documents and settings\all users\application data\MiMedia
2011-11-04 00:07:09 -------- d-----w- C:\Junk Non-Backup
2011-10-29 11:09:04 -------- d-----w- C:\TV Shows to DVD
2011-10-28 21:22:25 -------- d-----w- c:\documents and settings\bob\application data\DVD Flick
2011-10-28 21:22:10 40960 ----a-w- c:\windows\system32\ssubtmr6.dll
2011-10-28 21:22:10 36864 ----a-w- c:\windows\system32\trayicon_handler.ocx
2011-10-28 21:22:09 28672 ----a-w- c:\windows\system32\mousewheel.ocx
2011-10-28 21:22:09 -------- d-----w- c:\program files\DVD Flick
2011-10-28 21:00:48 -------- d-----w- c:\documents and settings\bob\application data\AnvSoft
2011-10-28 21:00:16 -------- d-----w- c:\program files\AnvSoft
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-05 20:06:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-05 20:06:11 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-05 20:06:09 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-10-05 20:06:08 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2009-10-03 16:43:23 8410624 ----a-w- c:\program files\HTML Guardian 7.msi
.
============= FINISH: 18:26:02.00 ===============
Ok. Are there any issues left?
No more issues that I can detect. The machine seems to be running normal again.
Thank you very much for sharing your time, knowledge, and experience in helping me out. It is sincerely appreciated!
It's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
I've completed all the recommended steps. The computer seems to be running fine now, except for one thing. Whenever I try to attach a document to an e-mail in Outlook Express, it takes several minutes for the program to recognize a different computer over the Home Network. I don't recall it being like this before I started having virus problems. I did a google search for similar issues and potential fixes, but couldn't find anything. Do you have any suggestions?
I have another issue on a different machine that I thought I might get your feedback on. The machine has some sort of Nvidia Raid backup system that I really know nothing about. Whenever I reboot the computer I have a flashing red error message for several seconds that reads as follows:
Detecting Arrays
0 DEGRADED NVIDIA MIRROR 698.63G
1 DEGRADED NVIDIA MIRROR 698.63G
I have PDF manual for the raid system, which describes a way for rebuilding the arrays. My questions is - can I do this safely without damaging anything that currently exists on my hard drive?
Thank you for all your help.
Hi,
Both remaining things are likely not malware related. I recommend to post at a forum like TechSupportGuy (http://forums.techguy.org) that has area for non malware issues too :)
Thank you very much for all your help.
It is sincerely appreciated.