Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Click.GiftLoad not removed by spybot

  1. #1
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default Click.GiftLoad not removed by spybot

    I have Click.GiftLoad on my PC. Spybot S&D detected it and said it was removed but it keeps recurring. I removed it in Safe Mode. I also ran Malware Bites and SuperAntiSpyware but they did not detect it.
    Spybot also detected Win32.Fraudload.edt and seems to have removed it.

    The malware redirects web searches, but not consistently. It also seems to interfere with system stability. My PC has become unstable and svchost.exe seems to be using high resources and crashing. I have had several blue screen crashes today.

    I have used a registry cleaner in the recent past, not being being aware that this was unwise. I have also restored to a previous system restore point when I first realised I had a problem.

    I would be very grateful for help in resolving this problem.

    Here is the dds.txt file.


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Peter Herron at 21:34:44.89 on 13/03/2011
    Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_17
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.882 [GMT 0:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\oodag.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\Dwm.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Users\Peter Herron\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Peter Herron\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Users\Peter Herron\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.co.uk/
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=127.0.0.1:55192
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Google Update] "c:\users\peter herron\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flash capture\fciext.dll/FCIEXT.htm
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    Hosts: 195.122.131.250 rapidshare.com
    Hosts: 195.122.131.250 www.rapidshare.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\peterh~1\appdata\roaming\mozilla\firefox\profiles\y6gzbwgg.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\sony\media go\npmediago.dll
    FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
    FF - plugin: c:\users\peter herron\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\peter herron\appdata\roaming\mozilla\firefox\profiles\y6gzbwgg.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-12 20328]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-20 21504]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-3-13 1153368]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-15 136176]
    S3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMT03.sys [2007-5-9 40848]
    S3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTV.sys [2007-5-9 38280]
    S3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\j river\media jukebox 14\JRService.exe [2011-1-26 379400]
    S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2007-5-9 47496]
    S4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2007-5-9 32136]
    S4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-5-9 34176]
    S4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-5-9 28800]
    .
    =============== File Associations ===============
    .
    .txt=
    .
    =============== Created Last 30 ================
    .
    2011-03-13 19:42:54 -------- d-----w- c:\program files\CCleaner
    2011-03-13 18:02:51 -------- d-----w- c:\users\peterh~1\appdata\roaming\SUPERAntiSpyware.com
    2011-03-13 18:02:51 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
    2011-03-13 18:02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-03-13 14:57:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-13 14:57:51 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
    2011-03-13 00:20:31 -------- d-----w- c:\program files\Wise PC Engineer
    2011-02-24 09:50:15 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-24 09:49:13 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-24 09:49:13 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-24 09:49:13 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-24 09:49:03 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-24 09:49:03 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-22 16:12:20 -------- d-----w- c:\users\peterh~1\appdata\roaming\FastStone
    2011-02-22 16:12:09 -------- d-----w- c:\program files\FastStone Photo Resizer
    .
    ==================== Find3M ====================
    .
    2011-02-15 08:46:36 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: SAMSUNG_HD321KJ rev.CP100-10 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8648C439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864927d0]; MOV EAX, [0x8649284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x8244D912] -> \Device\Harddisk0\DR0[0x8563B780]
    3 CLASSPNP[0x82FA08B3] -> ntkrnlpa!IofCallDriver[0x8244D912] -> [0x8540A8C0]
    5 acpi[0x806996BC] -> ntkrnlpa!IofCallDriver[0x8244D912] -> [0x85408030]
    \Driver\atapi[0x86477E70] -> IRP_MJ_CREATE -> 0x8648C439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP1T0L0-0 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-10#5&225fea8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 625142446 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
    .
    ============= FINISH: 21:35:46.59 ===============


    This is the Spybot report:


    Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

    Right Media: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


    MediaPlex: Tracking cookie (Internet Explorer: Peter Herron) (Cookie, nothing done)


    DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


    FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SDWinSec.exe (1.0.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-03-05 TeaTimer.exe (1.6.6.32)
    2011-03-13 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-02-24 Includes\Adware.sbi (*)
    2011-03-08 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2010-11-30 Includes\Hijackers.sbi (*)
    2011-03-08 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-02-24 Includes\Malware.sbi (*)
    2011-03-08 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-03 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-03-08 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-03-08 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-03-08 Includes\TrojansC-02.sbi (*)
    2011-03-03 Includes\TrojansC-03.sbi (*)
    2011-03-08 Includes\TrojansC-04.sbi (*)
    2011-03-08 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    I would be very grateful for any help in removing this. I hope I have followed your instructions. I am aware another person has posted a nearly identical issue.

  2. #2
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron and

    My name is JonTom

    • Malware Logs can sometimes take a lot of time to research and interpret.
    • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
    • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
    • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
    • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.


    Before we do any fixing I would like to see a report from the following scan:

    1. Please scan your system with GMER



      Download GMER Rootkit Scanner from here or here.
      • Extract the contents of the zipped file to desktop.
      • Right click on GMER.exe and select "Run as Administrator" to run the program. If asked to allow gmer.sys driver to load, please consent.
      • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
      • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
        • IAT/EAT
        • Drives/Partition other than Systemdrive (typically C:\)
        • Show All (don't miss this one)
      • Then click the Scan button & wait for it to finish.
      • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
      • Save it where you can easily find it, such as your desktop, and post it in your reply.


      **Caution**
      Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



      • If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
      • If GMER does not produce a log please try running it from Safe Mode.




      • How to use the F8 method to Start Your Computer in Safe Mode


      • Restart your computer.
      • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
      • Use the arrow keys to select the Safe mode menu item.
      • Press Enter.


      • If GMER in safe mode does not work, please try Rootkit Unhooker:


    2. Rootkit Unhooker


      • Please Download Rootkit Unhooker and Save it to your desktop.
      • Right click on RKUnhookerLE.exe and select "Run as administrator" to run it.
      • Click the Report tab, then click Scan.
      • Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
      • Wait till the scanner has finished and then click File, Save Report.
      • Save the report somewhere where you can find it. Click Close.


      • Copy the entire contents of the report and paste it in your next reply here.


      • Note: You may get the following warning, just click OK and continue.

        "Rootkit Unhooker has detected a parasite inside itself!
        It is recommended to remove parasite, okay?"


      Please provide the GMER/Rootkit Unhooker log in your next reply. If you are still having trouble, come back and let me know.
    Proud Graduate of the WTT Classroom

  3. #3
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    Mant thanks for your help.
    Running GMER caused a blue screen twice, so I unchecked everything except "Sections" and "C\:"

    Here is the result:


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-03-14 18:32:46
    Windows 6.0.6002 Service Pack 2
    Running: gmer.exe; Driver: C:\Users\PETERH~1\AppData\Local\Temp\uxriipog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 3F1 82CBFB74 4 Bytes [80, B7, 2F, A5]
    .text ntkrnlpa.exe!KeSetEvent + 621 82CBFDA4 8 Bytes [20, D6, 30, 8E, D0, B8, 2F, ...] {AND DH, DL; XOR [ESI-0x5ad04730], CL}
    .text ntkrnlpa.exe!KeSetEvent + 681 82CBFE04 4 Bytes JMP B2856E8B
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CC04340, 0x39DB57, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\Explorer.EXE[404] ntdll.dll!NtProtectVirtualMemory 76E64B84 5 Bytes JMP 0185000A
    .text C:\Windows\Explorer.EXE[404] ntdll.dll!NtWriteVirtualMemory 76E654C4 5 Bytes JMP 018D000A
    .text C:\Windows\Explorer.EXE[404] ntdll.dll!KiUserExceptionDispatcher 76E65BF8 5 Bytes JMP 0179000A
    .text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 76E64B84 5 Bytes JMP 0071000A
    .text C:\Windows\system32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 76E654C4 5 Bytes JMP 0076000A
    .text C:\Windows\system32\svchost.exe[1400] ntdll.dll!KiUserExceptionDispatcher 76E65BF8 5 Bytes JMP 000F000A
    .text C:\Windows\system32\svchost.exe[1400] ole32.dll!CoCreateInstance 74F79F3E 5 Bytes JMP 00DC000A

    ---- EOF - GMER 1.0.15 ----

  4. #4
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    Thank you for the log.

    Lets start with the following:

    1. P2P Programs:


      • P2P programs are a major source of Malware infections.
      • From your log I see you have BitTorrent complete and BitTornado. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
      • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
      • If you wish to keep the program(s), please do not use them until your computer is cleaned.

      • Information regarding the risk of using these programs can be found from here and here.

      • It is strongly recommend that you uninstall any P2P programs you have on your system.

      • To do this, Click on the "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
      • A list of currently installed programs will be displayed.
      • Find the "BitTorrent complete" and "BitTornado" programs, click on them once and then click on the "Uninstall" button.
      • If you are prompted to re-boot your computer to complete the uninstall please do so.


        PLEASE NOTE:
      • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.


    2. Toolbars


      • I can see that you have the uTorrentBar Toolbar installed.
      • I recommend that you uninstall this toolbar from your machine.
      • To do this, Click on the "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
      • A list of currently installed programs will be displayed.
      • Find the "uTorrentBar Toolbar", click on it once and then click on the "Uninstall" button.
      • If you are prompted to re-boot your computer to complete the uninstall please do so.


    3. TDSS Killer


      • Please read carefully and follow these steps.
      • Download TDSSKiller and save it to your Desktop.
      • Extract its contents to your desktop.
      • Once extracted, open the TDSSKiller folder and Right click on TDSSKiller.exe and select "Run as Administrator" to run the application.
      • Click on Start Scan.
      • If an infected file is detected, the default action will be Cure, click on Continue.
      • If a suspicious file is detected, the default action will be Skip, click on Continue.
      • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
      • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
      • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


      Please post the TDSSKiller log in your next reply
    Proud Graduate of the WTT Classroom

  5. #5
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    Ok thanks - really appreciate your time. Removed programs.
    Ran TDSSKiller and it asked for a reboot to cure one problem. Log file fom root directory:


    2011/03/14 19:14:55.0428 4152 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/03/14 19:14:56.0822 4152 ================================================================================
    2011/03/14 19:14:56.0822 4152 SystemInfo:
    2011/03/14 19:14:56.0822 4152
    2011/03/14 19:14:56.0822 4152 OS Version: 6.0.6002 ServicePack: 2.0
    2011/03/14 19:14:56.0822 4152 Product type: Workstation
    2011/03/14 19:14:56.0822 4152 ComputerName: PETERHERRON-PC
    2011/03/14 19:14:56.0823 4152 UserName: Peter Herron
    2011/03/14 19:14:56.0823 4152 Windows directory: C:\Windows
    2011/03/14 19:14:56.0823 4152 System windows directory: C:\Windows
    2011/03/14 19:14:56.0823 4152 Processor architecture: Intel x86
    2011/03/14 19:14:56.0823 4152 Number of processors: 2
    2011/03/14 19:14:56.0823 4152 Page size: 0x1000
    2011/03/14 19:14:56.0823 4152 Boot type: Normal boot
    2011/03/14 19:14:56.0823 4152 ================================================================================
    2011/03/14 19:14:57.0196 4152 Initialize success
    2011/03/14 19:15:23.0281 5212 ================================================================================
    2011/03/14 19:15:23.0281 5212 Scan started
    2011/03/14 19:15:23.0281 5212 Mode: Manual;
    2011/03/14 19:15:23.0281 5212 ================================================================================
    2011/03/14 19:15:24.0243 5212 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/03/14 19:15:24.0297 5212 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    2011/03/14 19:15:24.0338 5212 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    2011/03/14 19:15:24.0389 5212 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    2011/03/14 19:15:24.0418 5212 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    2011/03/14 19:15:24.0471 5212 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
    2011/03/14 19:15:24.0505 5212 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
    2011/03/14 19:15:24.0528 5212 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    2011/03/14 19:15:24.0558 5212 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/03/14 19:15:24.0594 5212 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    2011/03/14 19:15:24.0626 5212 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    2011/03/14 19:15:24.0651 5212 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    2011/03/14 19:15:24.0678 5212 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    2011/03/14 19:15:24.0704 5212 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
    2011/03/14 19:15:24.0739 5212 APLMp50 (1bf91f352d746ad7469fa71783b5fae8) C:\Windows\system32\Drivers\APLMp50.sys
    2011/03/14 19:15:24.0777 5212 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    2011/03/14 19:15:24.0800 5212 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    2011/03/14 19:15:24.0842 5212 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/03/14 19:15:24.0876 5212 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2011/03/14 19:15:24.0959 5212 AVGIDSDriver (5f6c56305ea73760cdafc7604d64bbe0) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
    2011/03/14 19:15:25.0021 5212 AVGIDSEH (20a2d48722cf055c846bdeafa4f733ce) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
    2011/03/14 19:15:25.0047 5212 AVGIDSFilter (0a95333ca80ca8b79d612f3965466cc0) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
    2011/03/14 19:15:25.0108 5212 AVGIDSShim (ab7e4b37126447ffe4fb639901012fb3) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
    2011/03/14 19:15:25.0158 5212 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\Windows\system32\DRIVERS\avgldx86.sys
    2011/03/14 19:15:25.0205 5212 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\Windows\system32\DRIVERS\avgmfx86.sys
    2011/03/14 19:15:25.0320 5212 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\Windows\system32\DRIVERS\avgrkx86.sys
    2011/03/14 19:15:25.0347 5212 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\Windows\system32\DRIVERS\avgtdix.sys
    2011/03/14 19:15:25.0392 5212 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/03/14 19:15:25.0494 5212 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
    2011/03/14 19:15:25.0530 5212 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/03/14 19:15:25.0551 5212 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/03/14 19:15:25.0581 5212 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/03/14 19:15:25.0611 5212 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/03/14 19:15:25.0631 5212 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/03/14 19:15:25.0656 5212 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/03/14 19:15:25.0686 5212 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/03/14 19:15:25.0722 5212 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/03/14 19:15:25.0757 5212 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/03/14 19:15:25.0783 5212 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    2011/03/14 19:15:25.0816 5212 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/03/14 19:15:25.0883 5212 CmBatt (0fed59edb4a83ff17f1778827b88ab1a) C:\Windows\system32\DRIVERS\CmBatt.sys
    2011/03/14 19:15:25.0904 5212 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    2011/03/14 19:15:25.0925 5212 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    2011/03/14 19:15:26.0014 5212 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\Windows\system32\drivers\cpuz134_x32.sys
    2011/03/14 19:15:26.0035 5212 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    2011/03/14 19:15:26.0059 5212 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    2011/03/14 19:15:26.0105 5212 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
    2011/03/14 19:15:26.0138 5212 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/03/14 19:15:26.0183 5212 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/03/14 19:15:26.0228 5212 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/03/14 19:15:26.0264 5212 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/03/14 19:15:26.0314 5212 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/03/14 19:15:26.0374 5212 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    2011/03/14 19:15:26.0427 5212 EMSCR (1fa3f9df8983873746fa6b72dd7e3c2c) C:\Windows\system32\drivers\ems7sk.sys
    2011/03/14 19:15:26.0452 5212 ESDCR (9c7487253aad6bf61f9bc83d50e32ccc) C:\Windows\system32\drivers\esd7sk.sys
    2011/03/14 19:15:26.0484 5212 ESMCR (99589d975da04f8bd31f124428fcc797) C:\Windows\system32\drivers\esm7sk.sys
    2011/03/14 19:15:26.0535 5212 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/03/14 19:15:26.0570 5212 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/03/14 19:15:26.0604 5212 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/03/14 19:15:26.0640 5212 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/03/14 19:15:26.0673 5212 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/03/14 19:15:26.0693 5212 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/03/14 19:15:26.0718 5212 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/03/14 19:15:26.0750 5212 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/03/14 19:15:26.0776 5212 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/03/14 19:15:26.0798 5212 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
    2011/03/14 19:15:26.0841 5212 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    2011/03/14 19:15:26.0891 5212 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/03/14 19:15:26.0929 5212 HECI (d0fc694df051bc65946db616f20d1168) C:\Windows\system32\drivers\heci.sys
    2011/03/14 19:15:26.0951 5212 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/03/14 19:15:26.0972 5212 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2011/03/14 19:15:27.0011 5212 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/03/14 19:15:27.0036 5212 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    2011/03/14 19:15:27.0116 5212 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/03/14 19:15:27.0138 5212 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    2011/03/14 19:15:27.0174 5212 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/03/14 19:15:27.0273 5212 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
    2011/03/14 19:15:27.0334 5212 IAMT03 (1606409e855c95a5d001847559f239cf) C:\Windows\system32\drivers\iamt03.sys
    2011/03/14 19:15:27.0370 5212 IAMTV (948acc7308e6814615b60524501b2deb) C:\Windows\system32\drivers\iamtv.sys
    2011/03/14 19:15:27.0401 5212 IAMTXP (8f63a5672fcd5d66c709dcc0c0124b86) C:\Windows\system32\drivers\iamtxp.sys
    2011/03/14 19:15:27.0434 5212 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    2011/03/14 19:15:27.0531 5212 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
    2011/03/14 19:15:27.0587 5212 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/03/14 19:15:27.0655 5212 IntcAzAudAddService (5d854cbac8b7b4b964406f9808c95fae) C:\Windows\system32\drivers\RTKVHDA.sys
    2011/03/14 19:15:27.0698 5212 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
    2011/03/14 19:15:27.0737 5212 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/03/14 19:15:27.0764 5212 ioatdma (c86dba11dc1d9dcf8788bb40cfc787f4) C:\Windows\system32\drivers\ioatdma.sys
    2011/03/14 19:15:27.0805 5212 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/03/14 19:15:27.0845 5212 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    2011/03/14 19:15:27.0881 5212 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/03/14 19:15:27.0950 5212 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/03/14 19:15:27.0970 5212 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    2011/03/14 19:15:28.0009 5212 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/03/14 19:15:28.0034 5212 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/03/14 19:15:28.0054 5212 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/03/14 19:15:28.0085 5212 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/03/14 19:15:28.0121 5212 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    2011/03/14 19:15:28.0167 5212 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/03/14 19:15:28.0251 5212 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/03/14 19:15:28.0290 5212 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    2011/03/14 19:15:28.0314 5212 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    2011/03/14 19:15:28.0338 5212 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/03/14 19:15:28.0370 5212 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/03/14 19:15:28.0440 5212 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    2011/03/14 19:15:28.0471 5212 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/03/14 19:15:28.0498 5212 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/03/14 19:15:28.0533 5212 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/03/14 19:15:28.0559 5212 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/03/14 19:15:28.0598 5212 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/03/14 19:15:28.0622 5212 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    2011/03/14 19:15:28.0654 5212 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/03/14 19:15:28.0681 5212 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/03/14 19:15:28.0716 5212 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/03/14 19:15:28.0746 5212 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/03/14 19:15:28.0768 5212 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/03/14 19:15:28.0787 5212 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/03/14 19:15:28.0810 5212 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
    2011/03/14 19:15:28.0844 5212 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    2011/03/14 19:15:28.0889 5212 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/03/14 19:15:28.0909 5212 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/03/14 19:15:28.0998 5212 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/03/14 19:15:29.0017 5212 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/03/14 19:15:29.0035 5212 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/03/14 19:15:29.0074 5212 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/03/14 19:15:29.0105 5212 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/03/14 19:15:29.0126 5212 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/03/14 19:15:29.0157 5212 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\Windows\system32\drivers\asacpi.sys
    2011/03/14 19:15:29.0186 5212 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/03/14 19:15:29.0220 5212 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/03/14 19:15:29.0270 5212 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/03/14 19:15:29.0308 5212 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/03/14 19:15:29.0344 5212 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/03/14 19:15:29.0364 5212 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/03/14 19:15:29.0397 5212 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/03/14 19:15:29.0432 5212 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/03/14 19:15:29.0455 5212 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/03/14 19:15:29.0576 5212 NETw3v32 (a15f219208843a5a210c8cb391384453) C:\Windows\system32\DRIVERS\NETw3v32.sys
    2011/03/14 19:15:29.0628 5212 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/03/14 19:15:29.0668 5212 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\Windows\system32\drivers\nmwcd.sys
    2011/03/14 19:15:29.0697 5212 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\Windows\system32\drivers\nmwcdc.sys
    2011/03/14 19:15:29.0716 5212 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcj.sys
    2011/03/14 19:15:29.0737 5212 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcm.sys
    2011/03/14 19:15:29.0856 5212 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys
    2011/03/14 19:15:29.0886 5212 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/03/14 19:15:29.0922 5212 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/03/14 19:15:29.0986 5212 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/03/14 19:15:30.0033 5212 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/03/14 19:15:30.0066 5212 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/03/14 19:15:30.0255 5212 nvlddmkm (2088f34df31243c79df3e9f6f774a512) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    2011/03/14 19:15:30.0461 5212 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    2011/03/14 19:15:30.0497 5212 nvsmu (1968391131672f59c4734afe66ee075a) C:\Windows\system32\drivers\nvsmu.sys
    2011/03/14 19:15:30.0524 5212 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
    2011/03/14 19:15:30.0552 5212 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    2011/03/14 19:15:30.0624 5212 O2MDRDR (634ff60f418792906887b3d6ceecb431) C:\Windows\system32\drivers\o2media.sys
    2011/03/14 19:15:30.0652 5212 O2SDRDR (694b4555cec16397aa8731ce87fc1e11) C:\Windows\system32\drivers\o2sd.sys
    2011/03/14 19:15:30.0675 5212 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
    2011/03/14 19:15:30.0755 5212 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    2011/03/14 19:15:30.0789 5212 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2011/03/14 19:15:30.0807 5212 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    2011/03/14 19:15:30.0842 5212 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/03/14 19:15:30.0874 5212 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys
    2011/03/14 19:15:30.0900 5212 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
    2011/03/14 19:15:30.0944 5212 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/03/14 19:15:31.0000 5212 pfc (444f122e68db44c0589227781f3c8b3f) C:\Windows\system32\drivers\pfc.sys
    2011/03/14 19:15:31.0060 5212 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/03/14 19:15:31.0086 5212 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    2011/03/14 19:15:31.0134 5212 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/03/14 19:15:31.0208 5212 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    2011/03/14 19:15:31.0252 5212 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/03/14 19:15:31.0301 5212 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/03/14 19:15:31.0326 5212 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/03/14 19:15:31.0358 5212 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/03/14 19:15:31.0395 5212 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/03/14 19:15:31.0425 5212 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/03/14 19:15:31.0465 5212 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/03/14 19:15:31.0484 5212 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/03/14 19:15:31.0517 5212 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
    2011/03/14 19:15:31.0535 5212 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/03/14 19:15:31.0573 5212 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/03/14 19:15:31.0629 5212 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/03/14 19:15:31.0653 5212 RTL8169 (283392af1860ecdb5e0f8ebd7f3d72df) C:\Windows\system32\DRIVERS\Rtlh86.sys
    2011/03/14 19:15:31.0764 5212 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/03/14 19:15:31.0814 5212 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/03/14 19:15:31.0837 5212 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/03/14 19:15:31.0911 5212 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
    2011/03/14 19:15:31.0947 5212 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/03/14 19:15:31.0993 5212 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    2011/03/14 19:15:32.0018 5212 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    2011/03/14 19:15:32.0058 5212 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/03/14 19:15:32.0102 5212 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
    2011/03/14 19:15:32.0124 5212 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/03/14 19:15:32.0147 5212 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
    2011/03/14 19:15:32.0164 5212 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/03/14 19:15:32.0242 5212 SI3132 (c822e0db4f64be45f7a6da13e99a185c) C:\Windows\system32\drivers\si3132.sys
    2011/03/14 19:15:32.0267 5212 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\Windows\system32\drivers\siwinacc.sys
    2011/03/14 19:15:32.0299 5212 SiRemFil (41a59f484188be629087ba391ff60d74) C:\Windows\system32\drivers\siremfil.sys
    2011/03/14 19:15:32.0328 5212 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    2011/03/14 19:15:32.0358 5212 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    2011/03/14 19:15:32.0388 5212 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    2011/03/14 19:15:32.0433 5212 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/03/14 19:15:32.0490 5212 smserial (c8a58fc905c9184fa70e37f71060c64d) C:\Windows\system32\DRIVERS\smserial.sys
    2011/03/14 19:15:32.0547 5212 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/03/14 19:15:32.0589 5212 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
    2011/03/14 19:15:32.0617 5212 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
    2011/03/14 19:15:32.0635 5212 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/03/14 19:15:32.0684 5212 ssm_bus (14622ae81c72b08691eedaabc1d4a129) C:\Windows\system32\DRIVERS\ssm_bus.sys
    2011/03/14 19:15:32.0725 5212 ssm_mdfl (43ee5e9fda61a5e0eac4c1de699e6e4d) C:\Windows\system32\DRIVERS\ssm_mdfl.sys
    2011/03/14 19:15:32.0764 5212 ssm_mdm (918cfd32c7feb174f356a0a6fad11f4b) C:\Windows\system32\DRIVERS\ssm_mdm.sys
    2011/03/14 19:15:32.0822 5212 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys
    2011/03/14 19:15:32.0860 5212 StillCam (7a95b5deb594616f1693486b8161411e) C:\Windows\system32\DRIVERS\serscan.sys
    2011/03/14 19:15:32.0894 5212 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/03/14 19:15:32.0928 5212 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/03/14 19:15:32.0951 5212 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/03/14 19:15:32.0973 5212 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/03/14 19:15:33.0032 5212 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
    2011/03/14 19:15:33.0068 5212 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/03/14 19:15:33.0105 5212 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2011/03/14 19:15:33.0139 5212 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/03/14 19:15:33.0160 5212 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/03/14 19:15:33.0195 5212 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/03/14 19:15:33.0233 5212 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/03/14 19:15:33.0281 5212 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/03/14 19:15:33.0316 5212 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/03/14 19:15:33.0353 5212 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/03/14 19:15:33.0380 5212 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    2011/03/14 19:15:33.0408 5212 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/03/14 19:15:33.0449 5212 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    2011/03/14 19:15:33.0486 5212 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    2011/03/14 19:15:33.0516 5212 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/03/14 19:15:33.0547 5212 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/03/14 19:15:33.0590 5212 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/03/14 19:15:33.0627 5212 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
    2011/03/14 19:15:33.0709 5212 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
    2011/03/14 19:15:33.0751 5212 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    2011/03/14 19:15:33.0788 5212 usbbus (cccece399b1990d63bfc8de8161dd838) C:\Windows\system32\DRIVERS\lgusbbus.sys
    2011/03/14 19:15:33.0816 5212 USBCamera (2038824260efdffa6f78d9bef767622d) C:\Windows\system32\Drivers\Bulk50x.sys
    2011/03/14 19:15:33.0842 5212 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/03/14 19:15:33.0865 5212 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/03/14 19:15:33.0892 5212 UsbDiag (b2ef4693e17404a178da88318c5236b8) C:\Windows\system32\DRIVERS\lgusbdiag.sys
    2011/03/14 19:15:33.0931 5212 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/03/14 19:15:33.0966 5212 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/03/14 19:15:33.0990 5212 USBModem (eb16939525ed91fb649ec68afc865dce) C:\Windows\system32\DRIVERS\lgusbmodem.sys
    2011/03/14 19:15:34.0014 5212 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    2011/03/14 19:15:34.0084 5212 USBPNPA (41b758cff0a3c10a69e088f440677399) C:\Windows\system32\drivers\CM108.sys
    2011/03/14 19:15:34.0143 5212 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/03/14 19:15:34.0176 5212 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2011/03/14 19:15:34.0217 5212 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/03/14 19:15:34.0242 5212 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/03/14 19:15:34.0277 5212 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/03/14 19:15:34.0317 5212 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/03/14 19:15:34.0349 5212 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    2011/03/14 19:15:34.0376 5212 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\Windows\system32\drivers\viaagp1.sys
    2011/03/14 19:15:34.0402 5212 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    2011/03/14 19:15:34.0433 5212 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    2011/03/14 19:15:34.0461 5212 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/03/14 19:15:34.0503 5212 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/03/14 19:15:34.0544 5212 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/03/14 19:15:34.0577 5212 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    2011/03/14 19:15:34.0637 5212 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/03/14 19:15:34.0674 5212 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/03/14 19:15:34.0685 5212 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/03/14 19:15:34.0723 5212 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    2011/03/14 19:15:34.0765 5212 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    2011/03/14 19:15:34.0847 5212 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
    2011/03/14 19:15:34.0894 5212 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    2011/03/14 19:15:34.0931 5212 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/03/14 19:15:34.0973 5212 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/03/14 19:15:35.0020 5212 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
    2011/03/14 19:15:35.0069 5212 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/03/14 19:15:35.0072 5212 ================================================================================
    2011/03/14 19:15:35.0072 5212 Scan finished
    2011/03/14 19:15:35.0072 5212 ================================================================================
    2011/03/14 19:15:35.0082 5368 Detected object count: 1
    2011/03/14 19:15:41.0165 5368 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/03/14 19:15:41.0165 5368 \HardDisk1 - ok
    2011/03/14 19:15:41.0166 5368 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
    2011/03/14 19:16:02.0817 5260 Deinitialize success

  6. #6
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    Thank you for the log.

    We now need to run ComboFix on this machine. AVG is known to interfere with ComboFix and prevent it from functioning correctly. Your AVG must be fully uninstalled before running ComboFix.

    Once you have uninstalled AVG please refrain from using the net except to download the required tools and to post logs back here.

    1. Combofix





      • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop


      • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
      • Right click on ComboFix.exe and select "Run as Administrator" to run the program. Follow the prompts.


      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




      • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




      • Click on Yes, to continue scanning for malware.
      • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
      • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
      • Should there be issues with internet afterward:

        In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

        In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
    Proud Graduate of the WTT Classroom

  7. #7
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    Ok, all instructions carefully followed. Log file from ComboFix pasted below.
    Can I re-install AVG now?
    Again, many thanks for this.



    ComboFix 11-03-13.02 - Peter Herron 14/03/2011 20:49:07.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1088 [GMT 0:00]
    Running from: c:\users\Peter Herron\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ABBYY FineReader 6.0 Sprint\ABBYY FineReader 6.0 Sprint.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ABBYY FineReader 6.0 Sprint\User's Guide.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ArcSoft PhotoImpression 6\PhotoImpression 6 Monitor.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\ArcSoft PhotoImpression 6\PhotoImpression 6.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Attach To Email\EPSON Attach To Email.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Attach To Email\Read Me.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Attach To Email\Uninstall EPSON Attach To Email.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Copy Utility\EPSON Copy Utility ReadMe.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Copy Utility\EPSON Copy Utility.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\EPSON Copy Utility.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\EPSON File Manager.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\File Manager\EPSON File Manager Uninstall.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\File Manager\EPSON File Manager.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\File Manager\Readme.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Creativity Suite\Scan Assistant\Scan Assistant.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON PERFECTION V200 PHOTO Manual.lnk
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Scanner\EPSON Scan\EPSON Scan.lnk
    c:\windows\system32\Ijl11.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-13 21:19 . 2011-03-13 21:20 -------- d-----w- c:\program files\ERUNT
    2011-03-13 19:42 . 2011-03-13 20:53 -------- d-----w- c:\program files\CCleaner
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\SUPERAntiSpyware.com
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-03-13 14:57 . 2011-03-13 15:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-03-13 14:57 . 2011-03-13 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-13 00:20 . 2011-03-13 00:20 -------- d-----w- c:\program files\Wise PC Engineer
    2011-02-24 09:50 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-24 09:49 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-24 09:49 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-24 09:49 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\FastStone
    2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\program files\FastStone Photo Resizer
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-15 08:46 . 2007-08-03 14:53 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2011-01-20 16:37 . 2011-02-09 20:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 20:28 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 20:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 20:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08 . 2011-02-09 20:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 20:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07 . 2011-02-09 20:28 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 20:28 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 20:28 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 20:28 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 20:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 20:28 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 20:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 20:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 20:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 20:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 20:28 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24 . 2011-02-09 20:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 20:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 20:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 20:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 20:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 20:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 20:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 20:28 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44 . 2011-02-09 20:28 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44 . 2011-02-09 20:28 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47 . 2011-02-09 20:28 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 20:28 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-09 20:28 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55 . 2011-01-12 08:30 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-18 06:27 . 2011-02-09 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22 . 2011-02-09 20:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22 . 2011-02-09 20:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22 . 2011-02-09 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 06:22 . 2011-02-09 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 05:25 . 2011-02-09 20:27 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48 . 2011-02-09 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47 . 2011-02-09 20:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Google Update"="c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
    backup=c:\windows\pss\Orbit.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-601883706-1770117181-183331753-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
    R3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamt03.sys [2006-10-18 40848]
    R3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtv.sys [2006-10-18 38280]
    R3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\J River\Media Jukebox 14\JRService.exe [2010-07-15 379400]
    R3 Normandy;Normandy SR2; [x]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtxp.sys [2006-10-18 47496]
    R4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2006-10-11 32136]
    R4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
    R4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-12-19 28800]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
    .
    2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
    .
    2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000Core.job
    - c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
    .
    2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000UA.job
    - c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
    .
    2011-03-14 c:\windows\Tasks\User_Feed_Synchronization-{3B3713E4-0FE5-41F5-864D-900F8ABFEE9A}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=127.0.0.1:55192
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-14 21:00
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
    .
    [HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*2*2**0ÿÊlÿåen0¢0Ö0Ê0¤0Åe
    0\OpenWithList]
    @Class="Shell"
    .
    [HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\SecuROM\License information*]
    "datasecu"=hex:b8,0b,be,2b,d5,79,0a,da,fb,d5,94,ca,b6,20,6b,9f,04,e7,f0,86,70,
    09,e7,f4,62,3d,44,ef,ca,b5,d7,4e,6e,08,c8,cf,2c,76,41,b6,7f,9c,25,23,82,91,\
    "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG10.00.00.01WORKSTATION"="7BA2B984156DEBACF8DE2A795030EFB725C3D79A25699CAE27E652D28EDD7DEFED6325E29F5B8FCB23E5BBBB6A88D0680143916C2D4D133769A735A65FBE2B80D1CD134301A85F73864A19EA3E1ABA512CE6AA3DE8091EA2260EDB143907AC7C3F4081CDE00201D7A4A59631739838F934A26A561B79CBE61B06A02718D9B4EABC4180701AF26AB1F3B5197C611A25E91E8B2CC4B75EFB7EF71FF5AEAFBFCA59C8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452BA7FD869164D6794DD36A2B39CE43F2A6FE0154F190DCA6E23441B435D3DAB364D0B29572871CD29B59EC8A49B07BF97FE66D553712CF7A420D951B6BA12AF43735F3CADB3F74580C87C08D6288234A89AD99397E3671AA53E8D3C6D34E1D149364277137CFD135009A4077AD930AFC5AAA13587D03C55A7FBFA222E137165EB5027A24E55AEDDC6877C2FEE2B3EC94A3D3BE4C27A7E50D20055907486D644BF9D92CAD4F4054C857A812FCBFA2F9C08FEB6921A8C54B7C392DF56F01D00CA4F229E42D5F3518F253EC079590ED746C1C6B8F19491393A8B20F48906CDAA5998027B1E31D23957AFD1DDC2948B62EAAE0B78F86CF97B8C30B98080CBF2EB540D8869B67B72B5D9255791072F7ECB2FFBE6C2E2919A3D662A1586588EC82B259423412A7B1A13D0F795A5039056663F4A9BF82FA5AB7502678999704C6F233886E36A59B07371798E787BB9CF67D8C8AD0D0EA17F4AEF9FC795646F39EEE5FDB200E3E8C80EC795448D8370BC671C7FABC28940A8754B0320D824B93D2FD46BDAD1C1C12A5B5CEA6989C6B25772FD1A43680A57E012F8F4B919A9FD73FC297835572912EC324DC3BF415FCC55089FD162CDBDF5196841BF5240DA2C2B0B6EA26B3253CADDCC0BECFEB07ED39F8CF766EE676A6DF9A63EB31A58AFF6E7EE05699B281020FC485AB7D077E51A5545D01ABECC6757DC5A5E24B615B65862219E53D6A3C08CFEAAD47AD556EC3C47DF46349FBAA18D4F7A65E74149110C84FEC4E725325C4CCC56E58F21B67F98F9E94CFD518F19AF965EE95C466FF3916F4AD3B3FE07EBE00118CE5338211DCF2958A7C787CF6120A6C0D4604623A82CF4A9F9C752F50F8FEE1D252817C657C93F8171636AA4A407AA4567D738A68B679E24BA38037978611A7851F3AC79D7AF61A1182715571D4E816E332903DD8F0BA528701E65B0ECA2BAA18E1FDCAED76F62D5DDED19DA9AA6BDA49FC10551382B7B08C31643DB4665BC707097FC0428BA4DA45896F940840226B4E6100F2F1F98C277B6C05CE2F47F41A4595059372B095EF37084AEC1511835CE9888644873EDD2901C4361CDF9889DE183BEB0AA5794098F659C243A8C64198716A1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-03-14 21:05:19
    ComboFix-quarantined-files.txt 2011-03-14 21:05
    .
    Pre-Run: 44,104,036,352 bytes free
    Post-Run: 43,279,822,848 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 4525E5DFADF763FDC0F8DC74C8874E02

  8. #8
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    By the way, Spybot is still showing me as infected with Click.GuestLoad.
    I only ran a scan, I have taken no action and await your instructions.

  9. #9
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello pherron

    Thank you for the log.

    Can I re-install AVG now?
    Lets leave it uninstalled for now. Don't worry, I'll let you know when to re-install it


    1. Please work through the following steps


      • Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad then click on "OK").
      • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
      • Copy and Paste the text in the quotebox below into the open Notepad window:

        DDS::
        uInternet Settings,ProxyOverride = *.local;<local>
        uInternet Settings,ProxyServer = http=127.0.0.1:55192

        Firefox::
        FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
        FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
        FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

        RegLock::
        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
      • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
      • Close any open browsers.
      • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Refering to the picture below, drag CFScript.txt into ComboFix.exe




      • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
      • Once the log is produced, re-engage your resident anti virus.


    2. Temporary File Cleaner


      • Download TFC to your desktop.
      • Close any open windows.
      • Right click the TFC icon and select "Run as Administrator" to run the program.
      • TFC will close all open programs itself in order to run.
      • Click the Start button to begin the process.
      • Allow TFC to run uninterrupted.
      • The program should not take long to finish.
      • Once complete it should automatically reboot your machine.
      • If your machine does not reboot automatically, manually reboot to ensure a complete clean.
      • Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.


    3. MalwareBytes AntiMalware:


      • I can see that you have MBAM installed.
      • Double click on your MalwareBytes AntiMalware icon to launch the program.
      • Click on the "Update" tab and then on "Check for Updates".
      • The program will now install the latest Malware definition files.
      • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
      • Once the program has scanned your computer, a log file will be created in Notepad.
      • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.



      • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
      • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
      • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
      • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
      • Come back here to this thread and Paste the log in your next reply.


      Please post the ComboFix log and the MBAM log in your next reply.
    Proud Graduate of the WTT Classroom

  10. #10
    Junior Member
    Join Date
    Mar 2011
    Location
    UK
    Posts
    13

    Default

    All instructions carefully followed.
    ComboFix downloaded an update, but appeared to still run the script ok.
    MalwareBytes found nothing.
    Logs attached.

    Thanks.


    ComboFix 11-03-14.07 - Peter Herron 15/03/2011 18:08:49.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1135 [GMT 0:00]
    Running from: c:\users\Peter Herron\Desktop\ComboFix.exe
    Command switches used :: c:\users\Peter Herron\Desktop\CFScript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\chrome.manifest
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\chrome\conduitengine.jar
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.js
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.xpt
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitToolbar.idl
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitToolbar.js
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\ConduitToolbar.xpt
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\components\RadioWMPCore.xpt
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\alertSettingsComponent.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\appContextMenu.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\engineContextMenu.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\engineSettings.json
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\fbAlert.js
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\getAppsContextMenu.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\postAppsContextMenu.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\toolbarContextMenu.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\defaults\unsharedAppsContextMenu.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\DualPackage\install.rdf
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\install.rdf
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\lib\xpcom.js
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\META-INF\manifest.mf
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\META-INF\zigbert.rsa
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\META-INF\zigbert.sf
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.gif
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.ico
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.PNG
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.src
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\searchplugin\conduit.xml
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\setup.ini
    c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\extensions\engine@conduit.com\version.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-15 18:18 . 2011-03-15 18:18 -------- d-----w- c:\users\Peter Herron\AppData\Local\temp
    2011-03-15 18:18 . 2011-03-15 18:18 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-03-15 18:18 . 2011-03-15 18:18 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-14 22:31 . 2011-02-23 09:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4D8DC095-35DA-4EE3-8E77-E1D612B549CA}\mpengine.dll
    2011-03-14 19:22 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-14 19:22 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-14 19:22 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-14 19:22 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-14 19:22 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-14 19:22 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-13 21:19 . 2011-03-13 21:20 -------- d-----w- c:\program files\ERUNT
    2011-03-13 19:42 . 2011-03-13 20:53 -------- d-----w- c:\program files\CCleaner
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\SUPERAntiSpyware.com
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-03-13 18:02 . 2011-03-13 18:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-03-13 14:57 . 2011-03-13 15:33 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-03-13 14:57 . 2011-03-13 15:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-03-13 00:20 . 2011-03-13 00:20 -------- d-----w- c:\program files\Wise PC Engineer
    2011-02-24 09:50 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
    2011-02-24 09:49 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
    2011-02-24 09:49 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
    2011-02-24 09:49 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
    2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
    2011-02-24 09:49 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
    2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\users\Peter Herron\AppData\Roaming\FastStone
    2011-02-22 16:12 . 2011-02-22 16:12 -------- d-----w- c:\program files\FastStone Photo Resizer
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-15 08:46 . 2007-08-03 14:53 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2011-02-02 17:11 . 2009-10-03 09:09 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:37 . 2011-02-09 20:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 20:28 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 20:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 20:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08 . 2011-02-09 20:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 20:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07 . 2011-02-09 20:28 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 20:28 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 20:28 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 20:28 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 20:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 20:28 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 20:28 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 20:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 20:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 20:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 20:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 20:28 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24 . 2011-02-09 20:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 20:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 20:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 20:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 20:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 20:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 20:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 20:28 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44 . 2011-02-09 20:28 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44 . 2011-02-09 20:28 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-08 08:47 . 2011-02-09 20:28 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 20:28 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-09 20:28 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55 . 2011-01-12 08:30 413696 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-18 06:27 . 2011-02-09 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-18 06:22 . 2011-02-09 20:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 06:22 . 2011-02-09 20:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-18 06:22 . 2011-02-09 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-12-18 06:22 . 2011-02-09 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-12-18 05:25 . 2011-02-09 20:27 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-18 04:48 . 2011-02-09 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-12-18 04:47 . 2011-02-09 20:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Google Update"="c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-01 133104]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
    backup=c:\windows\pss\Orbit.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-601883706-1770117181-183331753-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-18 136176]
    R3 IAMT03;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamt03.sys [2006-10-18 40848]
    R3 IAMTV;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtv.sys [2006-10-18 38280]
    R3 Media Jukebox 14 Service;Media Jukebox 14 Service;c:\program files\J River\Media Jukebox 14\JRService.exe [2010-07-15 379400]
    R3 Normandy;Normandy SR2; [x]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;c:\windows\system32\drivers\iamtxp.sys [2006-10-18 47496]
    R4 ioatdma;IOATDMA.SYS Intel(R) 5000 Series Chipsets Integrated Device - 1A38;c:\windows\system32\drivers\ioatdma.sys [2006-10-11 32136]
    R4 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2005-11-14 34176]
    R4 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2005-12-19 28800]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
    .
    2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 22:34]
    .
    2011-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000Core.job
    - c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
    .
    2011-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601883706-1770117181-183331753-1000UA.job
    - c:\users\Peter Herron\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-01 08:06]
    .
    2011-03-15 c:\windows\Tasks\User_Feed_Synchronization-{3B3713E4-0FE5-41F5-864D-900F8ABFEE9A}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    FF - ProfilePath - c:\users\Peter Herron\AppData\Roaming\Mozilla\Firefox\Profiles\y6gzbwgg.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-15 18:18
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,67,e2,16,49,c9,3e,1d,48,82,12,c8,\
    .
    [HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*0*2*2**0ÿÊlÿåen0¢0Ö0Ê0¤0Åe
    0\OpenWithList]
    @Class="Shell"
    .
    [HKEY_USERS\S-1-5-21-601883706-1770117181-183331753-1000\Software\SecuROM\License information*]
    "datasecu"=hex:b8,0b,be,2b,d5,79,0a,da,fb,d5,94,ca,b6,20,6b,9f,04,e7,f0,86,70,
    09,e7,f4,62,3d,44,ef,ca,b5,d7,4e,6e,08,c8,cf,2c,76,41,b6,7f,9c,25,23,82,91,\
    "rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
    "OODEFRAG10.00.00.01WORKSTATION"="7BA2B984156DEBACF8DE2A795030EFB725C3D79A25699CAE27E652D28EDD7DEFED6325E29F5B8FCB23E5BBBB6A88D0680143916C2D4D133769A735A65FBE2B80D1CD134301A85F73864A19EA3E1ABA512CE6AA3DE8091EA2260EDB143907AC7C3F4081CDE00201D7A4A59631739838F934A26A561B79CBE61B06A02718D9B4EABC4180701AF26AB1F3B5197C611A25E91E8B2CC4B75EFB7EF71FF5AEAFBFCA59C8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452BA7FD869164D6794DD36A2B39CE43F2A6FE0154F190DCA6E23441B435D3DAB364D0B29572871CD29B59EC8A49B07BF97FE66D553712CF7A420D951B6BA12AF43735F3CADB3F74580C87C08D6288234A89AD99397E3671AA53E8D3C6D34E1D149364277137CFD135009A4077AD930AFC5AAA13587D03C55A7FBFA222E137165EB5027A24E55AEDDC6877C2FEE2B3EC94A3D3BE4C27A7E50D20055907486D644BF9D92CAD4F4054C857A812FCBFA2F9C08FEB6921A8C54B7C392DF56F01D00CA4F229E42D5F3518F253EC079590ED746C1C6B8F19491393A8B20F48906CDAA5998027B1E31D23957AFD1DDC2948B62EAAE0B78F86CF97B8C30B98080CBF2EB540D8869B67B72B5D9255791072F7ECB2FFBE6C2E2919A3D662A1586588EC82B259423412A7B1A13D0F795A5039056663F4A9BF82FA5AB7502678999704C6F233886E36A59B07371798E787BB9CF67D8C8AD0D0EA17F4AEF9FC795646F39EEE5FDB200E3E8C80EC795448D8370BC671C7FABC28940A8754B0320D824B93D2FD46BDAD1C1C12A5B5CEA6989C6B25772FD1A43680A57E012F8F4B919A9FD73FC297835572912EC324DC3BF415FCC55089FD162CDBDF5196841BF5240DA2C2B0B6EA26B3253CADDCC0BECFEB07ED39F8CF766EE676A6DF9A63EB31A58AFF6E7EE05699B281020FC485AB7D077E51A5545D01ABECC6757DC5A5E24B615B65862219E53D6A3C08CFEAAD47AD556EC3C47DF46349FBAA18D4F7A65E74149110C84FEC4E725325C4CCC56E58F21B67F98F9E94CFD518F19AF965EE95C466FF3916F4AD3B3FE07EBE00118CE5338211DCF2958A7C787CF6120A6C0D4604623A82CF4A9F9C752F50F8FEE1D252817C657C93F8171636AA4A407AA4567D738A68B679E24BA38037978611A7851F3AC79D7AF61A1182715571D4E816E332903DD8F0BA528701E65B0ECA2BAA18E1FDCAED76F62D5DDED19DA9AA6BDA49FC10551382B7B08C31643DB4665BC707097FC0428BA4DA45896F940840226B4E6100F2F1F98C277B6C05CE2F47F41A4595059372B095EF37084AEC1511835CE9888644873EDD2901C4361CDF9889DE183BEB0AA5794098F659C243A8C64198716A1"
    .
    Completion time: 2011-03-15 18:21:52
    ComboFix-quarantined-files.txt 2011-03-15 18:21
    ComboFix2.txt 2011-03-14 21:05
    .
    Pre-Run: 42,517,245,952 bytes free
    Post-Run: 41,705,693,184 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - E84269E1AE037EF49A86F4F5781EDC9E




    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 6067

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    15/03/2011 18:39:00
    mbam-log-2011-03-15 (18-39-00).txt

    Scan type: Quick scan
    Objects scanned: 170369
    Time elapsed: 5 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •