41 replies to this topic

[gy18]

When I turn on the computer, everything loads fine. But after a couple of minutes, Just-In-Time Debugging pops up on my screen asking if i want to debug given the list of debuggers. Every time I try closing it, it would pop back up and wouldn't let me close the program. I would go to task manager and end the program from there but it still would pop back up after ending the program. And when I go on google and search, it would redirect me to another website that's totally unrelated to what i searched for. Also, when I try watching any kind of videos, whether it would be on youtube or facebook or any other site, my computer would freeze and I would have to manually turn off my computer and restart it. I ran malwarebytes free and spybot about 5 times and all those times, it wouldn't find any problems with the computer. I don't know what to do anymore. Please help!

[gy18]

I don't know if this will help but I was told about a program called HiJackThis. My friend said to use this program and upload the log to see if anyone can help me. If you can help, please do. Here's the log after I scanned with HiJackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:49:42 PM, on 2/21/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE
C:\Documents and Settings\Glenn\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 94.63.147.16 www.google.com
O1 - Hosts: 94.63.147.17 www.bing.com
O2 - BHO: (no name) - {03CDFCD9-D6E8-41F5-BEFD-B306763B9A1c} - C:\WINDOWS\system32\atiok3x232.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [dplaysvr] %APPDATA%\dplaysvr.exe
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTY3NDM3ODc2LVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItRkwrOC1GOE05QSszLUY4TTExQysxLVVQRysyMDExLUY4TTExRSsxLVhPMTArMTI"&"prod=90"&"ver=10.0.1204
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Aim] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKUS\S-1-5-18\..\Run: [dplaysvr] %APPDATA%\dplaysvr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dplaysvr] %APPDATA%\dplaysvr.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\DOCUME~1\Glenn\MYDOCU~1\gerry\MICROS~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1271014203546
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1271015953046
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/...SetupClient.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe

--
End of file - 11741 bytes

[Maniac]

Hello gy18 and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.


Step 2

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


In your next post, please include:

• ComboFix log
  
• Add or Remove Programs list

[gy18]

ComboFix Log:

ComboFix 12-02-21.01 - Glenn 02/22/2012 13:02:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1325 [GMT -5:00]
Running from: c:\documents and settings\Glenn\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ctix7b4h.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ctix7b4h.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ctix7b4h.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ctix7b4h.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ctix7b4h.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\install.rdf
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Documents\dll
c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}
c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\chrome.manifest
c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\chrome\xulcache.jar
c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\defaults\preferences\xulcache.js
c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\install.rdf
c:\documents and settings\Glenn\snuxcvibmu.tmp
c:\windows\EventSystem.log
c:\windows\system32\SET4F.tmp
c:\windows\system32\SET5B.tmp
c:\windows\system32\SET70.tmp
c:\windows\system32\SET7C.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
2012-02-11 03:51 . 2012-02-11 03:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-04-14 16:26 . 2011-05-20 17:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 17:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 18:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 20:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-07 05:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-06 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Aim"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-07-04 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.15\AsRunHelp.exe" [2006-11-14 363008]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-22 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2007-07-11 569344]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTY3NDM3ODc2LVQxLVU4NSsxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItRkwrOC1GOE0xMUMrMS1VUEcrMjAxMS1GOE0xMUUrMS1YTzEwKzEyLUxJQysyLUZMMTArMS1TUDErMS1TUDFUQisxLVNVUCs0LVNQMVMyKzE&prod=90&ver=10.0.1424" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 17:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\steamapps\\mercviper\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Guild Wars\\Gw.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\yellow0neinyci\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\steamapps\\yellow0neinyci\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchooloo8x\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchooloo8x\\condition zero\\hl.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57025:TCP"= 57025:TCP:Pando Media Booster
"57025:UDP"= 57025:UDP:Pando Media Booster
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2008 6:48 PM 721904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/19/2007 3:49 PM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/3/2009 12:16 PM 135664]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/3/2009 12:16 PM 135664]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/2/2008 10:52 PM 47360]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 17:16]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{03CDFCD9-D6E8-41F5-BEFD-B306763B9A1c} - c:\windows\system32\atiok3x232.dll
HKLM-Run-dplaysvr - c:\documents and settings\Glenn\Application Data\dplaysvr.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\Glenn\Application Data\dplaysvr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-22 13:14
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00VYA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\0000009b
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A449F]<<
c:\docume~1\Glenn\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4ab738]; MOV EAX, [0x8a4ab8ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A8BA030]
3 CLASSPNP[0xBA11905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000075[0x8A8F4F18]
5 ACPI[0xB9E66620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A8BC030]
\Driver\nvata[0x8A749360] -> IRP_MJ_CREATE -> 0x8A4A449F
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000073 -> \??\IDE#DiskWDC_WD3200AAKS-00VYA0___________________12.01B02#2020202057202D44435752413157333838343232#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x8a95c1f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\controlset002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-261478967-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"
.
[HKEY_USERS\S-1-5-21-1645522239-261478967-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7C78B93-1769-C2CD-F751-57F80C82F191}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(912)
c:\windows\system32\WININET.dll
c:\windows\system32\nvappfilter.dll
.
Completion time: 2012-02-22 13:27:40
ComboFix-quarantined-files.txt 2012-02-22 18:27
.
Pre-Run: 71,624,953,856 bytes free
Post-Run: 71,972,741,120 bytes free
.
- - End Of File - - FE6086956A0EFE25AAE92F49923F2767


Add or Remove Programs list:

ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player 11 Plugin
Adobe Reader 8.3.0
Adobe Shockwave Player
AIM 7
Any Video Converter 2.5.9
AOL Instant Messenger
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
AviSynth 2.5
Bonjour
Compatibility Pack for the 2007 Office system
Condition Zero
Corel Snapfire Plus
Counter-Strike
Counter-Strike: Source
Dell Photo AIO Printer 922
Dev-C++ 5 beta 9 release (4.9.9.2)
DirectXInstallService
DivX Web Player
Download Updater (AOL LLC)
DVD Decrypter (Remove Only)
DVDFab HD Decrypter 4.1.0.2
EMC 10 Content
Garmin Communicator Plugin
Garmin USB Drivers
Google Update Helper
Guild Wars
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Office (KB950278)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
InterVideo DVDCopy5
iTunes
Java DB 10.2.2.0
Java™ 6 Update 14
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 3
JCreator LE 4.50
JMB36X Raid Configurer
Juniper Networks Setup Client Activex Control
League of Legends
LimeWire 5.1.2
Malwarebytes' Anti-Malware
Media Player Codec Pack 3.2.0
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft DirectX SDK (November 2008)
Microsoft Expression Web
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MSDN 2005 Express Edition - ENU
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2008 Management Objects
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual Studio Web Authoring Component
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft XML Parser and SDK
MobileMe Control Panel
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Music Transfer
MyLife Webcam Pro
Nero 7 Essentials
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
ooVoo
Pando Media Booster
Pepakura Viewer 3
PhotoScape
PopCap Browser Plugin
PowerISO
ProProfs CompTIA A+ Practice Exams
Python 3.2
Quake Live Mozilla Plugin
QuickTime
RealPlayer
Rhapsody Player Engine
Roxio Activation Module
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939373)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942830)
Security Update for Windows XP (KB942831)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Skype™ 5.5
SmartSound Quicktracks Plugin
Sony Picture Utility
SoundMAX
Spybot - Search & Destroy
SQL Server System CLR Types
Starcraft
Steam
SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
System Requirements Lab
System Requirements Lab CYRI
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
Veetle TV 0.9.15
Ventrilo Client
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
VoiceOver Kit
vShare Toolbar
WampServer 2.0
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XviD Video Codec 1.1.2-01022007

[Maniac]

Thanks!

Step 1

Please uninstall the following applications:

• LimeWire 5.1.2 - It is a p2p Application, which are against our policy. Take a look here: Piracy
  
• vShare Toolbar - Modify your home and search pages without asking you.
  
• Viewpoint Media Player - It is a froistware. More information here: Viewpoint to Plunge Into Adware
  
  
  Step 2
  
  1. Close any open browsers.
  
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  3. Open notepad and copy/paste the text in the quotebox below into it:
  
  

  Folder::
  c:\program files\DNA
  c:\Program Files\uTorrent
  c:\Program Files\LimeWire
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "BitTorrent DNA"=-
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  "AvgUninstallURL"=-
  
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
  "c:\\Program Files\\LimeWire\\LimeWire.exe"=-
  "c:\\Program Files\\DNA\\btdna.exe"=-
  
  JavaClearCache::

  
  Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  Refering to the picture above, drag CFScript into ComboFix.exe
  
  When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  
  
  Step 3
  
  Download the latest version of TDSSKiller from here and save it to your Desktop.
  
  
  [list=1]
  
  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  
  
  
  
• Click the Start Scan button.
  
  
  
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
  
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


In your next post, please include:

• ComboFix log
  
• TDSSKiller log

[gy18]

I wasn't able to uninstall vShare Toolbar or Viewpoint Media Player before I used combofix. I was able to manually uninstall Limewire through the list of programs in the start menu. I was not able to open up the Add or Remove Programs in the control panel. After I ran my scans, and had to reboot, my computer wasn't able to shut down by itself. I had to force shut down my computer and start it back up again. But I was able to get the log that came from the TDSSKiller scan. I do not know if that would cause a change in the way this malware removal process works but I just wanted you to know that it happened.

ComboFix log:

ComboFix 12-02-21.01 - Glenn 02/24/2012 2:33.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1230 [GMT -5:00]
Running from: c:\documents and settings\Glenn\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Glenn\My Documents\Downloads\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid2152.log
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 07:28 . 2012-02-24 07:28 -------- d-----w- c:\windows\LastGood
2012-02-22 19:06 . 2012-02-22 19:06 -------- d-----w- c:\documents and settings\Glenn\Application Data\AVG2012
2012-02-22 19:05 . 2012-02-24 07:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-11 03:51 . 2012-02-11 03:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-04-14 16:26 . 2011-05-20 17:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 17:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 18:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 20:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-07 05:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-22_18.15.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-24 07:19 . 2012-02-24 07:19 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
+ 2012-02-24 07:28 . 2011-09-13 11:30 32592 c:\windows\LastGood\system32\DRIVERS\avgrkx86.sys
+ 2012-02-24 07:28 . 2011-08-08 11:08 40016 c:\windows\LastGood\system32\DRIVERS\avgmfx86.sys
+ 2012-02-24 07:28 . 2011-10-04 11:21 16720 c:\windows\LastGood\system32\DRIVERS\AVGIDSShim.sys
+ 2012-02-24 07:28 . 2011-07-11 06:14 24272 c:\windows\LastGood\system32\DRIVERS\AVGIDSFilter.sys
+ 2012-02-24 07:28 . 2011-07-11 06:14 23120 c:\windows\LastGood\system32\DRIVERS\AVGIDSEH.sys
+ 2012-02-24 07:08 . 2012-02-23 01:55 194992 c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
+ 2012-02-24 07:28 . 2011-07-11 06:14 295248 c:\windows\LastGood\system32\DRIVERS\avgtdix.sys
+ 2012-02-24 07:28 . 2011-10-07 11:23 230608 c:\windows\LastGood\system32\DRIVERS\avgldx86.sys
+ 2012-02-24 07:28 . 2011-07-11 06:14 134608 c:\windows\LastGood\system32\DRIVERS\AVGIDSDriver.sys
+ 2012-02-22 19:05 . 2012-02-22 19:05 4698112 c:\windows\Installer\5bb283.msi
+ 2012-02-23 15:35 . 2012-02-23 15:35 2186240 c:\windows\Installer\47b5d.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Aim"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-07-04 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.15\AsRunHelp.exe" [2006-11-14 363008]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-22 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2007-07-11 569344]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 17:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Steam\\steamapps\\mercviper\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Guild Wars\\Gw.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Steam\\steamapps\\yellow0neinyci\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\steamapps\\yellow0neinyci\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchooloo8x\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\xchooloo8x\\condition zero\\hl.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57025:TCP"= 57025:TCP:Pando Media Booster
"57025:UDP"= 57025:UDP:Pando Media Booster
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2008 6:48 PM 721904]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/19/2007 3:49 PM 24652]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/3/2009 12:16 PM 135664]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/3/2009 12:16 PM 135664]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [1/2/2008 10:52 PM 47360]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 17:16]
.
2012-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-24 02:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00VYA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\000006da
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4DC49F]<<
c:\docume~1\Glenn\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4e3738]; MOV EAX, [0x8a4e38ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A88D030]
3 CLASSPNP[0xBA11905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\00000077[0x8A914F18]
5 ACPI[0xB9E66620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A88F030]
\Driver\nvata[0x8A4F93B8] -> IRP_MJ_CREATE -> 0x8A4DC49F
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\00000075 -> \??\IDE#DiskWDC_WD3200AAKS-00VYA0___________________12.01B02#2020202057202D44435752413157333838343232#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x8a95c1f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\controlset002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-261478967-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"
.
[HKEY_USERS\S-1-5-21-1645522239-261478967-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7C78B93-1769-C2CD-F751-57F80C82F191}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1080)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1144)
c:\windows\system32\WININET.dll
c:\windows\system32\nvappfilter.dll
.
Completion time: 2012-02-24 02:50:10
ComboFix-quarantined-files.txt 2012-02-24 07:50
ComboFix2.txt 2012-02-22 18:27
.
Pre-Run: 71,231,176,704 bytes free
Post-Run: 71,275,491,328 bytes free
.
- - End Of File - - 076936740ECA111418E6218BC842F5D1

TDSSKiller log:

02:56:25.0375 4564 TDSS rootkit removing tool 2.7.14.0 Feb 22 2012 16:54:49
02:56:25.0656 4564 ============================================================
02:56:25.0656 4564 Current date / time: 2012/02/24 02:56:25.0656
02:56:25.0656 4564 SystemInfo:
02:56:25.0656 4564
02:56:25.0656 4564 OS Version: 5.1.2600 ServicePack: 2.0
02:56:25.0656 4564 Product type: Workstation
02:56:25.0656 4564 ComputerName: GLENN-XO7NI61RK
02:56:25.0656 4564 UserName: Glenn
02:56:25.0656 4564 Windows directory: C:\WINDOWS
02:56:25.0656 4564 System windows directory: C:\WINDOWS
02:56:25.0656 4564 Processor architecture: Intel x86
02:56:25.0656 4564 Number of processors: 2
02:56:25.0656 4564 Page size: 0x1000
02:56:25.0656 4564 Boot type: Normal boot
02:56:25.0656 4564 ============================================================
02:56:26.0234 4564 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
02:56:26.0234 4564 \Device\Harddisk0\DR0:
02:56:26.0234 4564 MBR used
02:56:26.0234 4564 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xFFFAC05
02:56:26.0250 4564 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xFFFAC83, BlocksNum 0x15432A3E
02:56:26.0296 4564 Initialize success
02:56:26.0296 4564 ============================================================
02:57:14.0937 4088 ============================================================
02:57:14.0937 4088 Scan started
02:57:14.0937 4088 Mode: Manual;
02:57:14.0937 4088 ============================================================
02:57:15.0203 4088 Abiosdsk - ok
02:57:15.0218 4088 abp480n5 - ok
02:57:15.0281 4088 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
02:57:15.0281 4088 ACPI - ok
02:57:15.0328 4088 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
02:57:15.0328 4088 ACPIEC - ok
02:57:15.0359 4088 ADIHdAudAddService (0158f4027c0808ff65ed3b3d683339c9) C:\WINDOWS\system32\drivers\ADIHdAud.sys
02:57:15.0375 4088 ADIHdAudAddService - ok
02:57:15.0375 4088 adpu160m - ok
02:57:15.0390 4088 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
02:57:15.0390 4088 AEAudio - ok
02:57:15.0437 4088 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
02:57:15.0437 4088 aec - ok
02:57:15.0453 4088 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
02:57:15.0453 4088 Afc - ok
02:57:15.0500 4088 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
02:57:15.0500 4088 AFD - ok
02:57:15.0500 4088 Aha154x - ok
02:57:15.0515 4088 aic78u2 - ok
02:57:15.0515 4088 aic78xx - ok
02:57:15.0531 4088 AliIde - ok
02:57:15.0562 4088 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
02:57:15.0562 4088 AmdK8 - ok
02:57:15.0562 4088 amsint - ok
02:57:15.0609 4088 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
02:57:15.0609 4088 Arp1394 - ok
02:57:15.0625 4088 asc - ok
02:57:15.0625 4088 asc3350p - ok
02:57:15.0640 4088 asc3550 - ok
02:57:15.0656 4088 AsIO (663f2fb92608073824ee3106886120f3) C:\WINDOWS\system32\drivers\AsIO.sys
02:57:15.0656 4088 AsIO - ok
02:57:15.0703 4088 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
02:57:15.0703 4088 AsyncMac - ok
02:57:15.0734 4088 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
02:57:15.0734 4088 atapi - ok
02:57:15.0734 4088 Atdisk - ok
02:57:15.0828 4088 ati2mtag (3b88b6466896cc1a3a7e3287d72aca85) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
02:57:15.0843 4088 ati2mtag - ok
02:57:15.0875 4088 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
02:57:15.0875 4088 AtiHdmiService - ok
02:57:15.0890 4088 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
02:57:15.0890 4088 Atmarpc - ok
02:57:15.0937 4088 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
02:57:15.0937 4088 audstub - ok
02:57:15.0953 4088 AVGIDSDriver - ok
02:57:15.0953 4088 AVGIDSEH - ok
02:57:15.0968 4088 AVGIDSFilter - ok
02:57:15.0968 4088 AVGIDSShim - ok
02:57:15.0984 4088 Avgrkx86 - ok
02:57:15.0984 4088 Avgtdix - ok
02:57:16.0000 4088 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
02:57:16.0000 4088 Beep - ok
02:57:16.0046 4088 catchme - ok
02:57:16.0078 4088 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
02:57:16.0078 4088 cbidf2k - ok
02:57:16.0093 4088 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
02:57:16.0093 4088 CCDECODE - ok
02:57:16.0093 4088 cd20xrnt - ok
02:57:16.0109 4088 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
02:57:16.0109 4088 Cdaudio - ok
02:57:16.0125 4088 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
02:57:16.0125 4088 Cdfs - ok
02:57:16.0140 4088 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
02:57:16.0140 4088 Cdrom - ok
02:57:16.0140 4088 Changer - ok
02:57:16.0156 4088 CmdIde - ok
02:57:16.0171 4088 Cpqarray - ok
02:57:16.0187 4088 dac2w2k - ok
02:57:16.0187 4088 dac960nt - ok
02:57:16.0203 4088 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
02:57:16.0203 4088 Disk - ok
02:57:16.0234 4088 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
02:57:16.0250 4088 dmboot - ok
02:57:16.0250 4088 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
02:57:16.0265 4088 dmio - ok
02:57:16.0265 4088 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
02:57:16.0265 4088 dmload - ok
02:57:16.0296 4088 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
02:57:16.0296 4088 DMusic - ok
02:57:16.0296 4088 dpti2o - ok
02:57:16.0343 4088 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
02:57:16.0343 4088 drmkaud - ok
02:57:16.0359 4088 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
02:57:16.0359 4088 Fastfat - ok
02:57:16.0359 4088 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
02:57:16.0359 4088 Fdc - ok
02:57:16.0375 4088 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
02:57:16.0375 4088 Fips - ok
02:57:16.0390 4088 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
02:57:16.0390 4088 Flpydisk - ok
02:57:16.0421 4088 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
02:57:16.0421 4088 FltMgr - ok
02:57:16.0437 4088 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
02:57:16.0453 4088 Fs_Rec - ok
02:57:16.0453 4088 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
02:57:16.0453 4088 Ftdisk - ok
02:57:16.0484 4088 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
02:57:16.0484 4088 GEARAspiWDM - ok
02:57:16.0515 4088 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
02:57:16.0515 4088 Gpc - ok
02:57:16.0562 4088 HDAudBus (cbc3def409549672b915fb9403d63f74) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
02:57:16.0562 4088 HDAudBus - ok
02:57:16.0562 4088 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
02:57:16.0562 4088 hidusb - ok
02:57:16.0578 4088 hpn - ok
02:57:16.0578 4088 hpt3xx - ok
02:57:16.0625 4088 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
02:57:16.0625 4088 HTTP - ok
02:57:16.0625 4088 i2omgmt - ok
02:57:16.0640 4088 i2omp - ok
02:57:16.0656 4088 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
02:57:16.0656 4088 i8042prt - ok
02:57:16.0671 4088 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
02:57:16.0671 4088 Imapi - ok
02:57:16.0687 4088 ini910u - ok
02:57:16.0687 4088 IntelIde - ok
02:57:16.0734 4088 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
02:57:16.0734 4088 ip6fw - ok
02:57:16.0750 4088 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
02:57:16.0750 4088 IpFilterDriver - ok
02:57:16.0765 4088 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
02:57:16.0765 4088 IpInIp - ok
02:57:16.0781 4088 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
02:57:16.0781 4088 IpNat - ok
02:57:16.0796 4088 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
02:57:16.0796 4088 IPSec - ok
02:57:16.0812 4088 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
02:57:16.0812 4088 IRENUM - ok
02:57:16.0843 4088 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
02:57:16.0843 4088 isapnp - ok
02:57:16.0859 4088 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
02:57:16.0859 4088 Iviaspi - ok
02:57:16.0875 4088 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
02:57:16.0875 4088 JGOGO - ok
02:57:16.0890 4088 JRAID (c341318beae24fa4042c5f8c64cb38b6) C:\WINDOWS\system32\DRIVERS\jraid.sys
02:57:16.0890 4088 JRAID - ok
02:57:16.0906 4088 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
02:57:16.0906 4088 Kbdclass - ok
02:57:16.0906 4088 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
02:57:16.0906 4088 kbdhid - ok
02:57:16.0937 4088 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
02:57:16.0937 4088 kmixer - ok
02:57:16.0937 4088 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
02:57:16.0953 4088 KSecDD - ok
02:57:16.0953 4088 lbrtfdc - ok
02:57:17.0000 4088 mferkdk - ok
02:57:17.0031 4088 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
02:57:17.0031 4088 mnmdd - ok
02:57:17.0046 4088 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
02:57:17.0046 4088 Modem - ok
02:57:17.0062 4088 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
02:57:17.0062 4088 Mouclass - ok
02:57:17.0078 4088 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
02:57:17.0078 4088 mouhid - ok
02:57:17.0078 4088 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
02:57:17.0078 4088 MountMgr - ok
02:57:17.0093 4088 mraid35x - ok
02:57:17.0093 4088 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
02:57:17.0093 4088 MRxDAV - ok
02:57:17.0140 4088 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
02:57:17.0140 4088 MRxSmb - ok
02:57:17.0140 4088 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
02:57:17.0156 4088 Msfs - ok
02:57:17.0187 4088 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
02:57:17.0187 4088 MSKSSRV - ok
02:57:17.0203 4088 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
02:57:17.0203 4088 MSPCLOCK - ok
02:57:17.0203 4088 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
02:57:17.0203 4088 MSPQM - ok
02:57:17.0234 4088 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
02:57:17.0234 4088 mssmbios - ok
02:57:17.0265 4088 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
02:57:17.0265 4088 MSTEE - ok
02:57:17.0296 4088 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
02:57:17.0296 4088 MTsensor - ok
02:57:17.0312 4088 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
02:57:17.0312 4088 Mup - ok
02:57:17.0328 4088 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
02:57:17.0328 4088 NABTSFEC - ok
02:57:17.0359 4088 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
02:57:17.0359 4088 NDIS - ok
02:57:17.0375 4088 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
02:57:17.0375 4088 NdisIP - ok
02:57:17.0390 4088 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
02:57:17.0390 4088 NdisTapi - ok
02:57:17.0421 4088 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
02:57:17.0421 4088 Ndisuio - ok
02:57:17.0437 4088 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
02:57:17.0437 4088 NdisWan - ok
02:57:17.0453 4088 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
02:57:17.0453 4088 NDProxy - ok
02:57:17.0468 4088 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
02:57:17.0468 4088 NetBIOS - ok
02:57:17.0484 4088 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
02:57:17.0484 4088 NetBT - ok
02:57:17.0515 4088 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
02:57:17.0515 4088 NIC1394 - ok
02:57:17.0531 4088 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
02:57:17.0531 4088 Npfs - ok
02:57:17.0578 4088 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
02:57:17.0578 4088 Ntfs - ok
02:57:17.0593 4088 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
02:57:17.0593 4088 Null - ok
02:57:17.0625 4088 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
02:57:17.0625 4088 nvata - ok
02:57:17.0656 4088 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
02:57:17.0671 4088 NVENETFD - ok
02:57:17.0687 4088 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
02:57:17.0687 4088 nvnetbus - ok
02:57:17.0703 4088 NVTCP (c0e7437765a694328579c4674ef3ab20) C:\WINDOWS\system32\DRIVERS\NVTcp.sys
02:57:17.0703 4088 NVTCP - ok
02:57:17.0734 4088 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
02:57:17.0734 4088 NwlnkFlt - ok
02:57:17.0750 4088 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
02:57:17.0750 4088 NwlnkFwd - ok
02:57:17.0765 4088 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
02:57:17.0765 4088 ohci1394 - ok
02:57:17.0781 4088 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
02:57:17.0781 4088 Parport - ok
02:57:17.0796 4088 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
02:57:17.0796 4088 PartMgr - ok
02:57:17.0796 4088 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
02:57:17.0796 4088 ParVdm - ok
02:57:17.0812 4088 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
02:57:17.0812 4088 PCI - ok
02:57:17.0812 4088 PCIDump - ok
02:57:17.0828 4088 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
02:57:17.0828 4088 PCIIde - ok
02:57:17.0859 4088 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
02:57:17.0859 4088 Pcmcia - ok
02:57:17.0859 4088 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
02:57:17.0875 4088 pcouffin - ok
02:57:17.0875 4088 PDCOMP - ok
02:57:17.0890 4088 PDFRAME - ok
02:57:17.0890 4088 PDRELI - ok
02:57:17.0906 4088 PDRFRAME - ok
02:57:17.0906 4088 perc2 - ok
02:57:17.0921 4088 perc2hib - ok
02:57:17.0953 4088 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
02:57:17.0953 4088 PptpMiniport - ok
02:57:17.0953 4088 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
02:57:17.0968 4088 Processor - ok
02:57:17.0968 4088 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
02:57:17.0968 4088 PSched - ok
02:57:17.0984 4088 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
02:57:17.0984 4088 Ptilink - ok
02:57:18.0000 4088 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
02:57:18.0000 4088 PxHelp20 - ok
02:57:18.0015 4088 ql1080 - ok
02:57:18.0031 4088 Ql10wnt - ok
02:57:18.0031 4088 ql12160 - ok
02:57:18.0046 4088 ql1240 - ok
02:57:18.0046 4088 ql1280 - ok
02:57:18.0062 4088 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
02:57:18.0062 4088 RasAcd - ok
02:57:18.0093 4088 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
02:57:18.0093 4088 Rasl2tp - ok
02:57:18.0093 4088 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
02:57:18.0109 4088 RasPppoe - ok
02:57:18.0109 4088 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
02:57:18.0109 4088 Raspti - ok
02:57:18.0140 4088 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
02:57:18.0140 4088 Rdbss - ok
02:57:18.0156 4088 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
02:57:18.0156 4088 RDPCDD - ok
02:57:18.0171 4088 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
02:57:18.0171 4088 rdpdr - ok
02:57:18.0203 4088 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
02:57:18.0203 4088 RDPWD - ok
02:57:18.0218 4088 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
02:57:18.0218 4088 redbook - ok
02:57:18.0250 4088 SCDEmu (3b35ce540758bbabb721e234cb5a4f3f) C:\WINDOWS\system32\drivers\SCDEmu.sys
02:57:18.0250 4088 SCDEmu - ok
02:57:18.0265 4088 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
02:57:18.0265 4088 Secdrv - ok
02:57:18.0296 4088 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
02:57:18.0312 4088 SenFiltService - ok
02:57:18.0312 4088 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
02:57:18.0312 4088 serenum - ok
02:57:18.0328 4088 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
02:57:18.0328 4088 Serial - ok
02:57:18.0343 4088 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
02:57:18.0343 4088 Sfloppy - ok
02:57:18.0359 4088 Simbad - ok
02:57:18.0375 4088 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
02:57:18.0375 4088 SLIP - ok
02:57:18.0593 4088 SNP2UVC (f8e7411b26530e34d1ddc82f8a6b741a) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
02:57:18.0656 4088 SNP2UVC - ok
02:57:18.0656 4088 Sparrow - ok
02:57:18.0687 4088 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
02:57:18.0703 4088 splitter - ok
02:57:18.0750 4088 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
02:57:18.0750 4088 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
02:57:18.0750 4088 sptd ( LockedFile.Multi.Generic ) - warning
02:57:18.0750 4088 sptd - detected LockedFile.Multi.Generic (1)
02:57:18.0765 4088 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
02:57:18.0765 4088 sr - ok
02:57:18.0796 4088 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
02:57:18.0796 4088 Srv - ok
02:57:18.0828 4088 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
02:57:18.0828 4088 streamip - ok
02:57:18.0843 4088 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
02:57:18.0843 4088 swenum - ok
02:57:18.0859 4088 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
02:57:18.0859 4088 swmidi - ok
02:57:18.0875 4088 symc810 - ok
02:57:18.0875 4088 symc8xx - ok
02:57:18.0890 4088 sym_hi - ok
02:57:18.0890 4088 sym_u3 - ok
02:57:18.0906 4088 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
02:57:18.0906 4088 sysaudio - ok
02:57:18.0953 4088 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
02:57:18.0953 4088 Tcpip - ok
02:57:18.0984 4088 Tcpip6 (be4007ab8c9b62e3688fc2f469b98190) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
02:57:18.0984 4088 Tcpip6 - ok
02:57:19.0000 4088 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
02:57:19.0000 4088 TDPIPE - ok
02:57:19.0031 4088 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
02:57:19.0031 4088 TDTCP - ok
02:57:19.0062 4088 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
02:57:19.0062 4088 TermDD - ok
02:57:19.0078 4088 TosIde - ok
02:57:19.0093 4088 tunmp (87a0e9e18c10a9e454238e3330e2a26d) C:\WINDOWS\system32\DRIVERS\tunmp.sys
02:57:19.0093 4088 tunmp - ok
02:57:19.0125 4088 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
02:57:19.0125 4088 Udfs - ok
02:57:19.0140 4088 ultra - ok
02:57:19.0156 4088 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
02:57:19.0156 4088 Update - ok
02:57:19.0203 4088 usbaapl (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
02:57:19.0203 4088 usbaapl - ok
02:57:19.0218 4088 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
02:57:19.0218 4088 usbaudio - ok
02:57:19.0234 4088 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
02:57:19.0234 4088 usbccgp - ok
02:57:19.0250 4088 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
02:57:19.0250 4088 usbehci - ok
02:57:19.0265 4088 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
02:57:19.0265 4088 usbhub - ok
02:57:19.0281 4088 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
02:57:19.0281 4088 usbohci - ok
02:57:19.0312 4088 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
02:57:19.0312 4088 usbprint - ok
02:57:19.0312 4088 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
02:57:19.0312 4088 usbscan - ok
02:57:19.0328 4088 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
02:57:19.0328 4088 USBSTOR - ok
02:57:19.0359 4088 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
02:57:19.0359 4088 VgaSave - ok
02:57:19.0375 4088 ViaIde - ok
02:57:19.0406 4088 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
02:57:19.0406 4088 VolSnap - ok
02:57:19.0453 4088 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
02:57:19.0453 4088 Wanarp - ok
02:57:19.0453 4088 WDICA - ok
02:57:19.0500 4088 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
02:57:19.0500 4088 wdmaud - ok
02:57:19.0546 4088 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
02:57:19.0546 4088 WpdUsb - ok
02:57:19.0562 4088 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
02:57:19.0562 4088 WS2IFSL - ok
02:57:19.0593 4088 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
02:57:19.0593 4088 WSTCODEC - ok
02:57:19.0609 4088 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
02:57:19.0609 4088 WudfPf - ok
02:57:19.0625 4088 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
02:57:19.0625 4088 WudfRd - ok
02:57:19.0640 4088 ymdwqbuwixvpepmk - ok
02:57:19.0656 4088 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
02:57:19.0671 4088 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
02:57:19.0671 4088 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
02:57:19.0671 4088 Boot (0x1200) (fab75864fb4bdac02d2c7d424dcb1b73) \Device\Harddisk0\DR0\Partition0
02:57:19.0671 4088 \Device\Harddisk0\DR0\Partition0 - ok
02:57:19.0687 4088 Boot (0x1200) (dd20829a8d99adb4ad0f9b3e873da109) \Device\Harddisk0\DR0\Partition1
02:57:19.0703 4088 \Device\Harddisk0\DR0\Partition1 - ok
02:57:19.0703 4088 ============================================================
02:57:19.0703 4088 Scan finished
02:57:19.0703 4088 ============================================================
02:57:19.0703 5020 Detected object count: 2
02:57:19.0703 5020 Actual detected object count: 2
02:57:55.0296 5020 sptd ( LockedFile.Multi.Generic ) - skipped by user
02:57:55.0296 5020 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
02:57:55.0593 5020 \Device\Harddisk0\DR0\# - copied to quarantine
02:57:55.0593 5020 \Device\Harddisk0\DR0 - copied to quarantine
02:57:55.0625 5020 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
02:57:55.0625 5020 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
02:57:55.0625 5020 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
02:57:55.0640 5020 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
02:57:55.0640 5020 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
02:57:55.0640 5020 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
02:57:55.0640 5020 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
02:57:55.0640 5020 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
02:57:55.0640 5020 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
02:57:55.0656 5020 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
02:57:55.0656 5020 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
02:57:55.0656 5020 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
02:57:55.0656 5020 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
02:57:55.0656 5020 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
02:57:55.0656 5020 \Device\Harddisk0\DR0 - ok
02:57:55.0671 5020 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
02:58:03.0484 0428 Deinitialize success

[Maniac]

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to Update" tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.


Step 2

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

In your next post, please include:

• Malwarebytes' Anti-Malware log
  
• ESET Online Scanner log

[gy18]

Malwarebytes' Anti-Malware log:

2012/02/24 14:50:48 -0500 GLENN-XO7NI61RK Glenn MESSAGE Starting protection
2012/02/24 14:50:54 -0500 GLENN-XO7NI61RK Glenn MESSAGE Protection started successfully
2012/02/24 14:50:57 -0500 GLENN-XO7NI61RK Glenn MESSAGE Starting IP protection
2012/02/24 14:50:59 -0500 GLENN-XO7NI61RK Glenn MESSAGE IP Protection started successfully
2012/02/24 15:00:33 -0500 GLENN-XO7NI61RK Glenn MESSAGE Executing scheduled update: Daily
2012/02/24 15:00:35 -0500 GLENN-XO7NI61RK Glenn MESSAGE Database already up-to-date
2012/02/24 15:08:02 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 98.142.245.229 (Type: outgoing)
2012/02/24 15:08:05 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 98.142.245.229 (Type: outgoing)
2012/02/24 15:08:11 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 98.142.245.229 (Type: outgoing)
2012/02/24 15:45:33 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.150 (Type: outgoing)
2012/02/24 15:45:36 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.150 (Type: outgoing)
2012/02/24 15:45:42 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.150 (Type: outgoing)
2012/02/24 15:47:56 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:47:59 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:48:05 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:50:18 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:50:21 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:50:27 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:52:39 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:52:42 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:52:48 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:55:00 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:55:03 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)
2012/02/24 15:55:09 -0500 GLENN-XO7NI61RK Glenn IP-BLOCK 141.136.16.151 (Type: outgoing)

ESET Online Scanner log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=264e8e8b114f3f4ebcf0aa1d7e04b8eb
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-24 09:53:24
# local_time=2012-02-24 04:53:24 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 98229336 98229336 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=221497
# found=19
# cleaned=19
# scan_time=4731
C:\Documents and Settings\Glenn\Desktop\Programs\FirefoxPortable\U92.exe Win32/UltraReach application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Glenn\My Documents\Downloads\RegistryCleanerFree-2.2.7.8.Setup.exe a variant of Win32/Adware.RealRegistryCleaner application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Glenn\My Documents\Downloads\SUPERsetup.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Glenn\My Documents\Downloads\vshare-toolbar.exe Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\vshare\imedix-silent-new.exe Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ctix7b4h.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Glenn\Application Data\Mozilla\Firefox\Profiles\pf04h0gi.default\extensions\{ca86ec42-c7aa-441f-9d69-14859b47cc0e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{868E2DC3-F54D-451F-B294-829CAB984948}\RP10\A0006896.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{868E2DC3-F54D-451F-B294-829CAB984948}\RP10\A0006897.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{868E2DC3-F54D-451F-B294-829CAB984948}\RP16\A0014026.exe Win32/UltraReach application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{868E2DC3-F54D-451F-B294-829CAB984948}\RP16\A0014027.exe Win32/Toolbar.Zugo application (deleted - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.IQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0010.dta a variant of Win32/Olmarik.AYG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\tdlfs0000\tsk0011.dta a variant of Win32/Olmarik.AYH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[Maniac]

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and post it in your next reply.

[gy18]

Status: Disinfected (events: 15)
2/25/2012 4:47:25 PM Disinfected Trojan program Exploit.Java.Agent.fw C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\34\129458e2-5d7a6d17 High
2/25/2012 4:47:25 PM Disinfected Trojan program Exploit.Java.Agent.fw C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\34\129458e2-5d7a6d17/apache/adidas.class High
2/25/2012 4:47:25 PM Disinfected Trojan program Trojan-Downloader.Java.OpenStream.bq C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\35\290a52e3-4b0a97e6 High
2/25/2012 4:47:25 PM Disinfected Trojan program Trojan-Downloader.Java.OpenStream.bq C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\35\290a52e3-4b0a97e6/glass/boing.class High
2/25/2012 4:47:25 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.u C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\60\22a9a23c-63e0b0c2 High
2/25/2012 4:47:25 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.u C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\60\22a9a23c-63e0b0c2/tools/Commander.class High
2/25/2012 4:47:37 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.l C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\61\29ebbdbd-676bc57a High
2/25/2012 4:47:37 PM Disinfected Trojan program Exploit.Java.CVE-2011-3544.l C:\Documents and Settings\Glenn\Application Data\Sun\Java\Deployment\cache\6.0\61\29ebbdbd-676bc57a/morale.class High
2/25/2012 6:24:51 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.d C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\2d459b3b-59442645 High
2/25/2012 6:24:51 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.e C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\78e31ce3-27e3d054 High
2/25/2012 6:24:51 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.d C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\2d459b3b-59442645/encode/ISO.class High
2/25/2012 6:24:51 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.e C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\78e31ce3-27e3d054/lort/border.class High
2/25/2012 6:24:51 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.e C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\78e31ce3-27e3d054/lort/cooter.class High
2/25/2012 6:24:51 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.d C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\2d459b3b-59442645/lang_driver/restore.class High
2/25/2012 10:50:44 PM Disinfected Trojan program Rootkit.Boot.Pihar.b \Device\Harddisk0\DR0 High
Status: Deleted (events: 2)
2/25/2012 6:25:03 PM Deleted Trojan program Rootkit.Boot.Pihar.b C:\TDSSKiller_Quarantine\24.02.2012_02.56.25\mbr0000\mbr0000\tsk0000.dta High
2/25/2012 10:56:50 PM Deleted Trojan program Trojan.Win32.Crot.a c:\WINDOWS\Installer\155e17.msi High

[Maniac]

How are things now?

[gy18]

Malwarebytes Free are still blocking incoming threats and I still cannot watch videos. It would freeze the computer and I still have to force shut down. But google doesn't redirect me to different pages anymore.

[Maniac]

Make sure your AV is up-to-date and perform a full system scan. Next, post a new fresh HiJackThis log file.

[gy18]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:26:51 PM, on 2/26/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Documents and Settings\Glenn\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Aim] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1271014203546
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1271015953046
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/...SetupClient.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Glenn\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe

--
End of file - 10855 bytes

[Maniac]

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Now close all windows other than HiJackThis, then click Fix Checked. Reboot your PC and let me know how are things.

[gy18]

I am still having the same problem. It's only the videos that I try watching online. I could watch videos using my other programs just fine though.

[Maniac]

Please repeat the instructions, but this time for that entire:

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

Let me know.

[gy18]

I did as instructed, but I am still having the same problem.

[Maniac]

Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[gy18]

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-03 19:27:44
-----------------------------
19:27:44.468 OS Version: Windows 5.1.2600 Service Pack 2
19:27:44.484 Number of processors: 2 586 0x4302
19:27:44.484 ComputerName: GLENN-XO7NI61RK UserName: Glenn
19:27:45.046 Initialize success
19:27:54.015 AVAST engine defs: 12030300
19:27:59.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000076
19:27:59.703 Disk 0 Vendor: WDC_WD3200AAKS-00VYA0 12.01B02 Size: 305245MB BusType: 3
19:27:59.718 Device \Driver\nvata -> MajorFunction 8a95c1f8
19:27:59.781 Disk 0 MBR read successfully
19:27:59.781 Disk 0 MBR scan
19:27:59.796 Disk 0 Windows XP default MBR code
19:27:59.812 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131061 MB offset 63
19:27:59.812 Disk 0 Partition - 00 0F Extended LBA 174181 MB offset 268414020
19:27:59.843 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 174181 MB offset 268414083
19:27:59.843 Disk 0 scanning sectors +625137345
19:27:59.953 Disk 0 scanning C:\WINDOWS\system32\drivers
19:28:25.546 Service scanning
19:28:34.906 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
19:28:38.156 Modules scanning
19:29:10.953 Disk 0 trace - called modules:
19:29:10.968 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a95c1f8]<<
19:29:10.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a83aab8]
19:29:10.984 3 CLASSPNP.SYS[ba11905b] -> nt!IofCallDriver -> \Device\00000078[0x8a90ef18]
19:29:10.984 5 ACPI.sys[b9e66620] -> nt!IofCallDriver -> \Device\00000076[0x8a7d6030]
19:29:10.984 \Driver\nvata[0x8a8c5218] -> IRP_MJ_CREATE -> 0x8a95c1f8
19:29:11.234 AVAST engine scan C:\WINDOWS
19:29:33.921 AVAST engine scan C:\WINDOWS\system32
19:34:03.390 AVAST engine scan C:\WINDOWS\system32\drivers
19:34:18.281 AVAST engine scan C:\Documents and Settings\Glenn
20:11:57.859 AVAST engine scan C:\Documents and Settings\All Users
20:14:42.953 Scan finished successfully
22:28:27.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Glenn\My Documents\gerry\MBR.dat"
22:28:27.562 The log file has been saved successfully to "C:\Documents and Settings\Glenn\My Documents\gerry\aswMBRLog.txt"