roberts1008
2013-03-22, 00:14
Recently, I ran Spybot and it found an infection with Win32.downloader.gen malware. After finding it, Spybot tried to remove it but couldn't. Then, Spybot
asked if I wanted to allow Spybot to run again when the computer restarts. I selected "yes" and once restarting, Spybot ran for several hours (with no other programs running) and again detected the malware. Once I selected "fix problem", it checked it off as if it was repaired. However, when I run the program again, it still finds it again and the whole sequence is repeated.
Potential source of the problem: Recently, I downloaded several audio codec files from download.cnet.com/windows/ and possibly this infected my computer.
I was running Spybot Search & Destroy version 1.6.2.46
Tashi asked me to post to this forum.
In the instructions, I was told to use ERUNT to back up my system registry.
Then, I was told to run the DDS log and below are the contents:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by JEFF at 14:10:57 on 2013-03-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1359 [GMT -7:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Extreme Security Firewall *Enabled*
.
============== Running Processes ================
.
D:\Program Files\Microsoft Security Client\MsMpEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\SCardSvr.exe
D:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
D:\Program Files\SearchProtect\bin\CltMngSvc.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
D:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
D:\WINDOWS\system32\EscSvc.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
D:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\stsystra.exe
D:\Program Files\Dell\QuickSet\quickset.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
D:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
D:\Program Files\Epson Software\Event Manager\EEventManager.exe
D:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe
D:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
D:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
D:\Program Files\Microsoft Security Client\msseces.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Documents and Settings\JEFF\Application Data\SearchProtect\bin\cltmng.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Microsoft Office\Office12\EXCEL.EXE
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\WINDOWS\system32\SearchProtocolHost.exe
D:\WINDOWS\system32\SearchFilterHost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: E-Web Print: {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - d:\program files\epson software\e-web print\ewps_tb.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} -
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} -
TB: E-Web Print: {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - d:\program files\epson software\e-web print\ewps_tb.dll
EB: E-Web Print: {A60C1DC7-64B3-4AD9-8E67-035D11B8B2B0} - d:\program files\epson software\e-web print\ewps_tb.dll
uRun: [SearchProtect] d:\documents and settings\jeff\application data\searchprotect\bin\cltmng.exe
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [FlashPlayerUpdate] d:\windows\system32\macromed\flash\FlashUtil32_11_4_402_287_Plugin.exe -update plugin
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ChangeTPMAuth] d:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [SunJavaUpdateSched] d:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] d:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] d:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISW] d:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] "d:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [APSDaemon] "d:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "d:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [PDVDDXSrv] "d:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PowerDVD12DMREngine] "d:\program files\cyberlink\powerdvd12\kernel\dmr\PowerDVD12DMREngine.exe"
mRun: [PowerDVD12Agent] "d:\program files\cyberlink\powerdvd12\PowerDVD12Agent.exe"
mRun: [EEventManager] "d:\program files\epson software\event manager\EEventManager.exe"
mRun: [FUFAXRCV] "d:\program files\epson software\fax utility\FUFAXRCV.exe"
mRun: [FUFAXSTM] "d:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [USBToolTip] d:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [SearchProtectAll] d:\program files\searchprotect\bin\cltmng.exe
mRun: [MSC] "d:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "d:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - d:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - d:\program files\digital line detect\DLG.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - d:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - d:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343712404168
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1362982937296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{1F0D5606-B5CA-40BE-8255-0BA7B935EC63} : DHCPNameServer = 10.0.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\jeff\application data\mozilla\firefox\profiles\0em5le4q.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: d:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: d:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: d:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: d:\program files\microsoft\office live\npOLW.dll
FF - plugin: d:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - ExtSQL: 2013-02-16 00:46; e-webprint@epson.com; d:\program files\epson software\e-web print\Firefox Add-on
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;d:\windows\system32\drivers\kl1.sys [2012-7-31 133208]
R0 MpFilter;Microsoft Malware Protection Driver;d:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 kl2;kl2;d:\windows\system32\drivers\kl2.sys [2012-7-31 11352]
R1 KLIF;Kaspersky Lab Driver;d:\windows\system32\drivers\klif.sys [2012-7-31 485808]
R1 Vsdatant;vsdatant;d:\windows\system32\vsdatant.sys [2012-7-22 526640]
R2 {73526619-C24F-470B-9BED-53D455FBB5C6};Power Control [2013/02/01 21:21:53];d:\program files\cyberlink\powerdvd12\common\navfilter\000.fcl [2012-12-28 76560]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;d:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 CLHNServiceForPowerDVD12;CLHNServiceForPowerDVD12;d:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\CLHNServiceForPowerDVD12.exe [2013-2-1 91248]
R2 CltMngSvc;Search Protect by Conduit Updater;d:\program files\searchprotect\bin\CltMngSvc.exe [2013-2-20 93984]
R2 CyberLink PowerDVD 12 Media Server Monitor Service;CyberLink PowerDVD 12 Media Server Monitor Service;d:\program files\cyberlink\powerdvd12\kernel\dms\CLMSMonitorServicePDVD12.exe [2013-2-1 78960]
R2 CyberLink PowerDVD 12 Media Server Service;CyberLink PowerDVD 12 Media Server Service;d:\program files\cyberlink\powerdvd12\kernel\dms\CLMSServerPDVD12.exe [2013-2-1 296048]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;d:\program files\epson\epsoncustomerparticipation\EPCP.exe [2012-5-10 539744]
R2 EpsonScanSvc;Epson Scanner Service;d:\windows\system32\escsvc.exe [2013-2-13 122000]
R2 ISWKL;ZoneAlarm ForceField ISWKL;d:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-7-14 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;d:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-7-14 497320]
R2 MBAMScheduler;MBAMScheduler;d:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-11 398184]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-11 682344]
R2 ntk_PowerDVD12;ntk_PowerDVD12;d:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\ntk_PowerDVD12.sys [2013-2-1 121208]
R2 vsmon;TrueVector Internet Monitor;d:\program files\checkpoint\zonealarm\vsmon.exe -service --> d:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 icsak;icsak;d:\program files\checkpoint\zaforcefield\ak\icsak.sys [2012-7-14 36784]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2012-11-11 21104]
S1 SBRE;SBRE;\??\d:\windows\system32\drivers\sbredrv.sys --> d:\windows\system32\drivers\SBREdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2013-3-18 40776]
S3 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-03-21 20:07:06 7108640 ----a-w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca5bdd50-36ec-42df-9b8b-5e77f0d96314}\mpengine.dll
2013-03-19 21:53:24 6954968 ------w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-19 21:48:54 -------- d-----w- d:\documents and settings\jeff\application data\SearchProtect
2013-03-19 05:47:14 40776 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2013-03-12 20:25:33 12928 -c----w- d:\windows\system32\dllcache\usb8023x.sys
2013-03-12 20:25:33 12928 -c----w- d:\windows\system32\dllcache\usb8023.sys
2013-03-11 22:46:42 -------- d-----w- d:\documents and settings\jeff\Tracing
2013-03-11 22:44:36 -------- d-----w- d:\program files\Microsoft Office Outlook Connector
2013-03-11 22:41:46 3426072 ----a-w- d:\windows\system32\d3dx9_32.dll
2013-03-11 22:38:37 -------- d-----w- d:\program files\Microsoft
2013-03-11 22:38:05 -------- d-----w- d:\program files\Windows Live SkyDrive
2013-03-11 22:37:06 4927864 ----a-w- d:\program files\common files\windows live\.cache\f5d64f481ce1ea8\Silverlight.2.0.exe
2013-03-11 22:35:22 74520 ----a-w- d:\program files\common files\windows live\.cache\b77508841ce1ea8\DSETUP.dll
2013-03-11 22:35:22 484632 ----a-w- d:\program files\common files\windows live\.cache\b77508841ce1ea8\DXSETUP.exe
2013-03-11 22:35:22 1670936 ----a-w- d:\program files\common files\windows live\.cache\b77508841ce1ea8\dsetup32.dll
2013-03-11 22:35:07 1013800 ----a-w- d:\program files\common files\windows live\.cache\aeda0bac1ce1ea8\WindowsXP-KB954708-x86-ENU.exe
2013-03-11 22:01:14 -------- d-----w- d:\program files\common files\Windows Live
2013-03-10 01:32:47 222448 ----a-w- d:\windows\system32\muweb.dll
2013-03-10 01:32:45 275696 ----a-w- d:\windows\system32\mucltui.dll
2013-03-10 01:32:45 17136 ----a-w- d:\windows\system32\mucltui.dll.mui
2013-03-10 00:48:53 232336 ------w- d:\windows\system32\MpSigStub.exe
2013-03-10 00:39:51 -------- d-----w- d:\program files\Microsoft Security Client
2013-03-09 06:15:51 -------- d-----w- d:\documents and settings\jeff\.SimXpert
2013-03-09 05:43:25 -------- d-----w- d:\documents and settings\jeff\CDMData
2013-03-09 05:38:47 -------- d-----w- d:\documents and settings\jeff\scratch
2013-03-09 05:38:47 -------- d-----w- d:\documents and settings\jeff\Process
2013-03-09 04:53:32 -------- d-----w- D:\MSC Software
2013-03-08 23:04:40 -------- d-----w- D:\SCRATCH
2013-03-08 22:34:54 -------- d-----w- D:\MSC.Software
2013-03-08 06:18:00 80090 ----a-w- d:\documents and settings\jeff\application data\SMBIOSSP.exe
2013-03-07 02:38:09 -------- d-----w- d:\program files\common files\Gretech Corporation
2013-03-07 02:38:08 -------- d-----w- d:\documents and settings\all users\application data\GRETECH
2013-03-07 02:35:32 -------- d-----w- d:\program files\GRETECH
2013-03-07 01:16:36 -------- d-----w- d:\program files\Conduit
2013-03-07 01:16:07 -------- d-----w- d:\documents and settings\jeff\local settings\application data\Conduit
2013-03-07 01:16:06 -------- d-----w- d:\documents and settings\jeff\local settings\application data\Temp
2013-03-07 01:15:23 -------- d-----w- d:\program files\SearchProtect
2013-03-04 17:15:23 -------- d-----w- d:\documents and settings\jeff\local settings\application data\Pinnacle
2013-03-04 04:48:11 171520 ----a-w- d:\windows\system32\drivers\MarvinBus.sys
2013-03-04 04:47:54 -------- d-----w- d:\program files\common files\Pinnacle
2013-03-04 04:46:31 -------- d-----w- d:\documents and settings\all users\application data\Pinnacle Studio HD
2013-03-04 04:37:15 -------- d-----w- d:\program files\common files\Pegasus Imaging
2013-03-04 04:37:12 -------- d-----w- d:\program files\common files\Yahoo!
2013-03-04 04:37:11 -------- d-----w- d:\program files\Pinnacle
2013-03-04 04:37:11 -------- d-----w- d:\documents and settings\all users\application data\Studio 14
2013-03-04 04:37:11 -------- d-----w- d:\documents and settings\all users\application data\Pinnacle Studio Plus
2013-03-03 23:06:32 -------- d-----w- d:\documents and settings\all users\CyberLink
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin7.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin6.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin5.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin4.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin3.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin2.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin.dll
2013-03-03 22:41:46 447479568 ----a-w- d:\program files\CL.2418_GM4_Trial_VDE121106-02.exe
2013-02-27 05:35:55 -------- d-----w- d:\windows\system32\NtmsData
.
==================== Find3M ====================
.
2013-02-12 00:32:23 12928 ----a-w- d:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- d:\windows\system32\drivers\usb8023x.sys
2013-02-05 20:05:47 916480 ----a-w- d:\windows\system32\wininet.dll
2013-02-05 20:05:46 43520 ------w- d:\windows\system32\licmgr10.dll
2013-02-05 20:05:46 1469440 ------w- d:\windows\system32\inetcpl.cpl
2013-02-05 05:53:57 385024 ------w- d:\windows\system32\html.iec
2013-01-26 03:55:44 552448 ----a-w- d:\windows\system32\oleaut32.dll
2013-01-25 16:48:32 3915776 ----a-w- d:\windows\system32\ffmpeg.dll
2013-01-25 16:47:32 112640 ----a-w- d:\windows\system32\ff_vfw.dll
2013-01-25 16:47:18 3500544 ----a-w- d:\windows\system32\ffdshow.ax
2013-01-25 16:46:18 271360 ----a-w- d:\windows\system32\TomsMoComp_ff.dll
2013-01-25 16:46:16 99840 ----a-w- d:\windows\system32\ff_wmv9.dll
2013-01-25 16:46:16 157184 ----a-w- d:\windows\system32\ff_unrar.dll
2013-01-25 16:46:12 211968 ----a-w- d:\windows\system32\ff_libdts.dll
2013-01-25 16:46:12 147456 ----a-w- d:\windows\system32\ff_libmad.dll
2013-01-25 16:46:08 1525760 ----a-w- d:\windows\system32\ff_samplerate.dll
2013-01-25 16:46:08 114688 ----a-w- d:\windows\system32\ff_liba52.dll
2013-01-25 16:00:40 420008 ----a-w- d:\windows\system32\LAVSplitter.ax
2013-01-25 16:00:40 384472 ----a-w- d:\windows\system32\swscale-lav-2.dll
2013-01-25 16:00:40 279208 ----a-w- d:\windows\system32\IntelQuickSyncDecoder.dll
2013-01-25 16:00:40 247920 ----a-w- d:\windows\system32\avutil-lav-52.dll
2013-01-25 16:00:40 243880 ----a-w- d:\windows\system32\LAVAudio.ax
2013-01-25 16:00:40 183976 ----a-w- d:\windows\system32\libbluray.dll
2013-01-25 16:00:40 165160 ----a-w- d:\windows\system32\avresample-lav-1.dll
2013-01-25 16:00:40 1186984 ----a-w- d:\windows\system32\LAVVideo.ax
2013-01-25 16:00:38 7833552 ----a-w- d:\windows\system32\avcodec-lav-54.dll
2013-01-25 16:00:38 169888 ----a-w- d:\windows\system32\avfilter-lav-3.dll
2013-01-25 16:00:38 1257464 ----a-w- d:\windows\system32\avformat-lav-54.dll
2013-01-20 23:59:04 195296 ----a-w- d:\windows\system32\drivers\MpFilter.sys
2013-01-07 01:19:45 2148864 ----a-w- d:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- d:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- d:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- d:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- d:\windows\system32\quartz.dll
.
============= FINISH: 14:13:55.23 ===============
Here is the log from the aswMBR scan:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-21 14:33:17
-----------------------------
14:33:17.328 OS Version: Windows 5.1.2600 Service Pack 3
14:33:17.328 Number of processors: 2 586 0x1706
14:33:17.328 ComputerName: OSCAR2 UserName: JEFF
14:33:27.484 Initialize success
14:58:45.187 AVAST engine defs: 13032102
15:01:56.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
15:01:56.812 Disk 0 Vendor: WDC_WD7500BPVT-22HXZT1 01.01A01 Size: 715404MB BusType: 3
15:01:56.984 Disk 0 MBR read successfully
15:01:56.984 Disk 0 MBR scan
15:01:57.046 Disk 0 Windows XP default MBR code
15:01:57.046 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63
15:01:57.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114416 MB offset 208845
15:01:57.109 Disk 0 Partition - 00 0F Extended LBA 515405 MB offset 409593240
15:01:57.125 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 199996 MB offset 409593303
15:01:57.140 Disk 0 Partition - 00 05 Extended 315408 MB offset 819186480
15:01:57.156 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 315408 MB offset 819186543
15:01:57.156 Disk 0 scanning sectors +1465144065
15:01:57.218 Disk 0 scanning D:\WINDOWS\system32\drivers
15:02:18.640 Service scanning
15:02:38.421 Service MpKsl5be7457a D:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA5BDD50-36EC-42DF-9B8B-5E77F0D96314}\MpKsl5be7457a.sys **LOCKED** 32
15:03:01.500 Modules scanning
15:03:14.062 Disk 0 trace - called modules:
15:03:14.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
15:03:14.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac35820]
15:03:14.093 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8acd8d98]
15:03:15.328 AVAST engine scan D:\WINDOWS
15:03:28.265 AVAST engine scan D:\WINDOWS\system32
15:08:01.468 AVAST engine scan D:\WINDOWS\system32\drivers
15:08:27.984 AVAST engine scan D:\Documents and Settings\JEFF
15:12:48.953 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\JEFF\My Documents\MBR.dat"
15:12:48.953 The log file has been saved successfully to "D:\Documents and Settings\JEFF\My Documents\aswMBR.txt"
asked if I wanted to allow Spybot to run again when the computer restarts. I selected "yes" and once restarting, Spybot ran for several hours (with no other programs running) and again detected the malware. Once I selected "fix problem", it checked it off as if it was repaired. However, when I run the program again, it still finds it again and the whole sequence is repeated.
Potential source of the problem: Recently, I downloaded several audio codec files from download.cnet.com/windows/ and possibly this infected my computer.
I was running Spybot Search & Destroy version 1.6.2.46
Tashi asked me to post to this forum.
In the instructions, I was told to use ERUNT to back up my system registry.
Then, I was told to run the DDS log and below are the contents:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by JEFF at 14:10:57 on 2013-03-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1359 [GMT -7:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Extreme Security Firewall *Enabled*
.
============== Running Processes ================
.
D:\Program Files\Microsoft Security Client\MsMpEng.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\SCardSvr.exe
D:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
D:\Program Files\SearchProtect\bin\CltMngSvc.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
D:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
D:\WINDOWS\system32\EscSvc.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
D:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\stsystra.exe
D:\Program Files\Dell\QuickSet\quickset.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
D:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
D:\Program Files\Epson Software\Event Manager\EEventManager.exe
D:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe
D:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
D:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
D:\Program Files\Microsoft Security Client\msseces.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
D:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Documents and Settings\JEFF\Application Data\SearchProtect\bin\cltmng.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Microsoft Office\Office12\EXCEL.EXE
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
D:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\WINDOWS\system32\SearchProtocolHost.exe
D:\WINDOWS\system32\SearchFilterHost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: E-Web Print: {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - d:\program files\epson software\e-web print\ewps_tb.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} -
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - d:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} -
TB: E-Web Print: {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - d:\program files\epson software\e-web print\ewps_tb.dll
EB: E-Web Print: {A60C1DC7-64B3-4AD9-8E67-035D11B8B2B0} - d:\program files\epson software\e-web print\ewps_tb.dll
uRun: [SearchProtect] d:\documents and settings\jeff\application data\searchprotect\bin\cltmng.exe
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [FlashPlayerUpdate] d:\windows\system32\macromed\flash\FlashUtil32_11_4_402_287_Plugin.exe -update plugin
mRun: [IntelZeroConfig] "d:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "d:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ChangeTPMAuth] d:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [SunJavaUpdateSched] d:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] d:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] d:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISW] d:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] "d:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [APSDaemon] "d:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Aware Browsing Protection] "d:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [PDVDDXSrv] "d:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PowerDVD12DMREngine] "d:\program files\cyberlink\powerdvd12\kernel\dmr\PowerDVD12DMREngine.exe"
mRun: [PowerDVD12Agent] "d:\program files\cyberlink\powerdvd12\PowerDVD12Agent.exe"
mRun: [EEventManager] "d:\program files\epson software\event manager\EEventManager.exe"
mRun: [FUFAXRCV] "d:\program files\epson software\fax utility\FUFAXRCV.exe"
mRun: [FUFAXSTM] "d:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [USBToolTip] d:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [SearchProtectAll] d:\program files\searchprotect\bin\cltmng.exe
mRun: [MSC] "d:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "d:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - d:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - d:\program files\digital line detect\DLG.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - d:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - d:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1343712404168
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1362982937296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{1F0D5606-B5CA-40BE-8255-0BA7B935EC63} : DHCPNameServer = 10.0.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\jeff\application data\mozilla\firefox\profiles\0em5le4q.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: d:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: d:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: d:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: d:\program files\microsoft\office live\npOLW.dll
FF - plugin: d:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - ExtSQL: 2013-02-16 00:46; e-webprint@epson.com; d:\program files\epson software\e-web print\Firefox Add-on
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;d:\windows\system32\drivers\kl1.sys [2012-7-31 133208]
R0 MpFilter;Microsoft Malware Protection Driver;d:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 kl2;kl2;d:\windows\system32\drivers\kl2.sys [2012-7-31 11352]
R1 KLIF;Kaspersky Lab Driver;d:\windows\system32\drivers\klif.sys [2012-7-31 485808]
R1 Vsdatant;vsdatant;d:\windows\system32\vsdatant.sys [2012-7-22 526640]
R2 {73526619-C24F-470B-9BED-53D455FBB5C6};Power Control [2013/02/01 21:21:53];d:\program files\cyberlink\powerdvd12\common\navfilter\000.fcl [2012-12-28 76560]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;d:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 CLHNServiceForPowerDVD12;CLHNServiceForPowerDVD12;d:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\CLHNServiceForPowerDVD12.exe [2013-2-1 91248]
R2 CltMngSvc;Search Protect by Conduit Updater;d:\program files\searchprotect\bin\CltMngSvc.exe [2013-2-20 93984]
R2 CyberLink PowerDVD 12 Media Server Monitor Service;CyberLink PowerDVD 12 Media Server Monitor Service;d:\program files\cyberlink\powerdvd12\kernel\dms\CLMSMonitorServicePDVD12.exe [2013-2-1 78960]
R2 CyberLink PowerDVD 12 Media Server Service;CyberLink PowerDVD 12 Media Server Service;d:\program files\cyberlink\powerdvd12\kernel\dms\CLMSServerPDVD12.exe [2013-2-1 296048]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;d:\program files\epson\epsoncustomerparticipation\EPCP.exe [2012-5-10 539744]
R2 EpsonScanSvc;Epson Scanner Service;d:\windows\system32\escsvc.exe [2013-2-13 122000]
R2 ISWKL;ZoneAlarm ForceField ISWKL;d:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-7-14 27056]
R2 IswSvc;ZoneAlarm ForceField IswSvc;d:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-7-14 497320]
R2 MBAMScheduler;MBAMScheduler;d:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-11 398184]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-11 682344]
R2 ntk_PowerDVD12;ntk_PowerDVD12;d:\program files\cyberlink\powerdvd12\kernel\dmp\clhnserver\ntk_PowerDVD12.sys [2013-2-1 121208]
R2 vsmon;TrueVector Internet Monitor;d:\program files\checkpoint\zonealarm\vsmon.exe -service --> d:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 icsak;icsak;d:\program files\checkpoint\zaforcefield\ak\icsak.sys [2012-7-14 36784]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2012-11-11 21104]
S1 SBRE;SBRE;\??\d:\windows\system32\drivers\sbredrv.sys --> d:\windows\system32\drivers\SBREdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2013-3-18 40776]
S3 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-03-21 20:07:06 7108640 ----a-w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca5bdd50-36ec-42df-9b8b-5e77f0d96314}\mpengine.dll
2013-03-19 21:53:24 6954968 ------w- d:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-19 21:48:54 -------- d-----w- d:\documents and settings\jeff\application data\SearchProtect
2013-03-19 05:47:14 40776 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2013-03-12 20:25:33 12928 -c----w- d:\windows\system32\dllcache\usb8023x.sys
2013-03-12 20:25:33 12928 -c----w- d:\windows\system32\dllcache\usb8023.sys
2013-03-11 22:46:42 -------- d-----w- d:\documents and settings\jeff\Tracing
2013-03-11 22:44:36 -------- d-----w- d:\program files\Microsoft Office Outlook Connector
2013-03-11 22:41:46 3426072 ----a-w- d:\windows\system32\d3dx9_32.dll
2013-03-11 22:38:37 -------- d-----w- d:\program files\Microsoft
2013-03-11 22:38:05 -------- d-----w- d:\program files\Windows Live SkyDrive
2013-03-11 22:37:06 4927864 ----a-w- d:\program files\common files\windows live\.cache\f5d64f481ce1ea8\Silverlight.2.0.exe
2013-03-11 22:35:22 74520 ----a-w- d:\program files\common files\windows live\.cache\b77508841ce1ea8\DSETUP.dll
2013-03-11 22:35:22 484632 ----a-w- d:\program files\common files\windows live\.cache\b77508841ce1ea8\DXSETUP.exe
2013-03-11 22:35:22 1670936 ----a-w- d:\program files\common files\windows live\.cache\b77508841ce1ea8\dsetup32.dll
2013-03-11 22:35:07 1013800 ----a-w- d:\program files\common files\windows live\.cache\aeda0bac1ce1ea8\WindowsXP-KB954708-x86-ENU.exe
2013-03-11 22:01:14 -------- d-----w- d:\program files\common files\Windows Live
2013-03-10 01:32:47 222448 ----a-w- d:\windows\system32\muweb.dll
2013-03-10 01:32:45 275696 ----a-w- d:\windows\system32\mucltui.dll
2013-03-10 01:32:45 17136 ----a-w- d:\windows\system32\mucltui.dll.mui
2013-03-10 00:48:53 232336 ------w- d:\windows\system32\MpSigStub.exe
2013-03-10 00:39:51 -------- d-----w- d:\program files\Microsoft Security Client
2013-03-09 06:15:51 -------- d-----w- d:\documents and settings\jeff\.SimXpert
2013-03-09 05:43:25 -------- d-----w- d:\documents and settings\jeff\CDMData
2013-03-09 05:38:47 -------- d-----w- d:\documents and settings\jeff\scratch
2013-03-09 05:38:47 -------- d-----w- d:\documents and settings\jeff\Process
2013-03-09 04:53:32 -------- d-----w- D:\MSC Software
2013-03-08 23:04:40 -------- d-----w- D:\SCRATCH
2013-03-08 22:34:54 -------- d-----w- D:\MSC.Software
2013-03-08 06:18:00 80090 ----a-w- d:\documents and settings\jeff\application data\SMBIOSSP.exe
2013-03-07 02:38:09 -------- d-----w- d:\program files\common files\Gretech Corporation
2013-03-07 02:38:08 -------- d-----w- d:\documents and settings\all users\application data\GRETECH
2013-03-07 02:35:32 -------- d-----w- d:\program files\GRETECH
2013-03-07 01:16:36 -------- d-----w- d:\program files\Conduit
2013-03-07 01:16:07 -------- d-----w- d:\documents and settings\jeff\local settings\application data\Conduit
2013-03-07 01:16:06 -------- d-----w- d:\documents and settings\jeff\local settings\application data\Temp
2013-03-07 01:15:23 -------- d-----w- d:\program files\SearchProtect
2013-03-04 17:15:23 -------- d-----w- d:\documents and settings\jeff\local settings\application data\Pinnacle
2013-03-04 04:48:11 171520 ----a-w- d:\windows\system32\drivers\MarvinBus.sys
2013-03-04 04:47:54 -------- d-----w- d:\program files\common files\Pinnacle
2013-03-04 04:46:31 -------- d-----w- d:\documents and settings\all users\application data\Pinnacle Studio HD
2013-03-04 04:37:15 -------- d-----w- d:\program files\common files\Pegasus Imaging
2013-03-04 04:37:12 -------- d-----w- d:\program files\common files\Yahoo!
2013-03-04 04:37:11 -------- d-----w- d:\program files\Pinnacle
2013-03-04 04:37:11 -------- d-----w- d:\documents and settings\all users\application data\Studio 14
2013-03-04 04:37:11 -------- d-----w- d:\documents and settings\all users\application data\Pinnacle Studio Plus
2013-03-03 23:06:32 -------- d-----w- d:\documents and settings\all users\CyberLink
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin7.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin6.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin5.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin4.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin3.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin2.dll
2013-03-03 23:01:31 159744 ----a-w- d:\program files\internet explorer\plugins\npqtplugin.dll
2013-03-03 22:41:46 447479568 ----a-w- d:\program files\CL.2418_GM4_Trial_VDE121106-02.exe
2013-02-27 05:35:55 -------- d-----w- d:\windows\system32\NtmsData
.
==================== Find3M ====================
.
2013-02-12 00:32:23 12928 ----a-w- d:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- d:\windows\system32\drivers\usb8023x.sys
2013-02-05 20:05:47 916480 ----a-w- d:\windows\system32\wininet.dll
2013-02-05 20:05:46 43520 ------w- d:\windows\system32\licmgr10.dll
2013-02-05 20:05:46 1469440 ------w- d:\windows\system32\inetcpl.cpl
2013-02-05 05:53:57 385024 ------w- d:\windows\system32\html.iec
2013-01-26 03:55:44 552448 ----a-w- d:\windows\system32\oleaut32.dll
2013-01-25 16:48:32 3915776 ----a-w- d:\windows\system32\ffmpeg.dll
2013-01-25 16:47:32 112640 ----a-w- d:\windows\system32\ff_vfw.dll
2013-01-25 16:47:18 3500544 ----a-w- d:\windows\system32\ffdshow.ax
2013-01-25 16:46:18 271360 ----a-w- d:\windows\system32\TomsMoComp_ff.dll
2013-01-25 16:46:16 99840 ----a-w- d:\windows\system32\ff_wmv9.dll
2013-01-25 16:46:16 157184 ----a-w- d:\windows\system32\ff_unrar.dll
2013-01-25 16:46:12 211968 ----a-w- d:\windows\system32\ff_libdts.dll
2013-01-25 16:46:12 147456 ----a-w- d:\windows\system32\ff_libmad.dll
2013-01-25 16:46:08 1525760 ----a-w- d:\windows\system32\ff_samplerate.dll
2013-01-25 16:46:08 114688 ----a-w- d:\windows\system32\ff_liba52.dll
2013-01-25 16:00:40 420008 ----a-w- d:\windows\system32\LAVSplitter.ax
2013-01-25 16:00:40 384472 ----a-w- d:\windows\system32\swscale-lav-2.dll
2013-01-25 16:00:40 279208 ----a-w- d:\windows\system32\IntelQuickSyncDecoder.dll
2013-01-25 16:00:40 247920 ----a-w- d:\windows\system32\avutil-lav-52.dll
2013-01-25 16:00:40 243880 ----a-w- d:\windows\system32\LAVAudio.ax
2013-01-25 16:00:40 183976 ----a-w- d:\windows\system32\libbluray.dll
2013-01-25 16:00:40 165160 ----a-w- d:\windows\system32\avresample-lav-1.dll
2013-01-25 16:00:40 1186984 ----a-w- d:\windows\system32\LAVVideo.ax
2013-01-25 16:00:38 7833552 ----a-w- d:\windows\system32\avcodec-lav-54.dll
2013-01-25 16:00:38 169888 ----a-w- d:\windows\system32\avfilter-lav-3.dll
2013-01-25 16:00:38 1257464 ----a-w- d:\windows\system32\avformat-lav-54.dll
2013-01-20 23:59:04 195296 ----a-w- d:\windows\system32\drivers\MpFilter.sys
2013-01-07 01:19:45 2148864 ----a-w- d:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- d:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- d:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- d:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- d:\windows\system32\quartz.dll
.
============= FINISH: 14:13:55.23 ===============
Here is the log from the aswMBR scan:
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-03-21 14:33:17
-----------------------------
14:33:17.328 OS Version: Windows 5.1.2600 Service Pack 3
14:33:17.328 Number of processors: 2 586 0x1706
14:33:17.328 ComputerName: OSCAR2 UserName: JEFF
14:33:27.484 Initialize success
14:58:45.187 AVAST engine defs: 13032102
15:01:56.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
15:01:56.812 Disk 0 Vendor: WDC_WD7500BPVT-22HXZT1 01.01A01 Size: 715404MB BusType: 3
15:01:56.984 Disk 0 MBR read successfully
15:01:56.984 Disk 0 MBR scan
15:01:57.046 Disk 0 Windows XP default MBR code
15:01:57.046 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63
15:01:57.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114416 MB offset 208845
15:01:57.109 Disk 0 Partition - 00 0F Extended LBA 515405 MB offset 409593240
15:01:57.125 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 199996 MB offset 409593303
15:01:57.140 Disk 0 Partition - 00 05 Extended 315408 MB offset 819186480
15:01:57.156 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 315408 MB offset 819186543
15:01:57.156 Disk 0 scanning sectors +1465144065
15:01:57.218 Disk 0 scanning D:\WINDOWS\system32\drivers
15:02:18.640 Service scanning
15:02:38.421 Service MpKsl5be7457a D:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA5BDD50-36EC-42DF-9B8B-5E77F0D96314}\MpKsl5be7457a.sys **LOCKED** 32
15:03:01.500 Modules scanning
15:03:14.062 Disk 0 trace - called modules:
15:03:14.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
15:03:14.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac35820]
15:03:14.093 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8acd8d98]
15:03:15.328 AVAST engine scan D:\WINDOWS
15:03:28.265 AVAST engine scan D:\WINDOWS\system32
15:08:01.468 AVAST engine scan D:\WINDOWS\system32\drivers
15:08:27.984 AVAST engine scan D:\Documents and Settings\JEFF
15:12:48.953 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\JEFF\My Documents\MBR.dat"
15:12:48.953 The log file has been saved successfully to "D:\Documents and Settings\JEFF\My Documents\aswMBR.txt"