TDSS remnants - ERNEL32.DLL removal help please

MrHappy · July 14, 2010

I've got a laptop here which recently underwent significant virus removal. I *thought* I got the entire rootkit out and all trojans (when I scan with virtually any scanner online or local nothing is found, including linux scans with clam and fprot) but MBAM is occassionally popping up infection notices for files that when checked for do not exist. I've tried every scanner, tool, trick I know. Below is the MBAM protection logs. Rather than post any other items I'll hopefully wait for specifics. I know the crew here was able to clean my other system (which I tried the same steps on this one to no effect) so hopefully this one won't be an issue. Thank you in advance.

10:12:15 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL QUARANTINE

10:12:16 Jim ERROR Quarantine failed: UtilityReadFile failed with error code 2

19:43:17 Jim DETECTION C:\USERS\JIM\APPDATA\LOCAL\TEMP\WSCSVC32.EXE Trojan.FakeAlert QUARANTINE

19:43:18 Jim ERROR Quarantine failed: UtilityReadFile failed with error code 2

Elise · July 14, 2010

You already have an active topic here with Maniac.

If this is about the same computer, this topic will be closed.

If this is about another computer than the one you are working on with Maniac, please let me know and I'll provide you with additional instructions.

MrHappy · July 14, 2010

This is a different computer. Maniac helped me resolve the other issue and I attempted similar steps with this unit to no success. Your assistance is very much appreciated.

Elise · July 14, 2010

In that case, lets get started.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Push the button.
[*]Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
A new OTL log (don't forget extra.txt)
GMER log

MrHappy · July 15, 2010

The 3 logs are c/p below. The laptop is now disconnected from the internet (and will remain so until instructed otherwise) Also, no new apps will be installed or removed until instructed to do so. I have renabled my AV and MBAM following scans. Thank you again for your assistance!!

___ OTL LOG ___

OTL logfile created on: 7/15/2010 2:38:37 PM - Run 1

OTL by OldTimer - Version 3.2.9.0 Folder = C:\Users\Jim\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18928)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 103.65 Gb Total Space | 72.21 Gb Free Space | 69.67% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JIM-PC

Current User Name: Jim

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/15 14:37:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Jim\Desktop\OTL.exe

PRC - [2010/06/01 14:53:46 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

PRC - [2009/12/11 04:37:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2007/10/31 17:13:44 | 000,921,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

PRC - [2007/10/31 13:40:08 | 000,125,440 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe

PRC - [2007/10/30 15:04:08 | 000,748,072 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

PRC - [2007/10/12 20:29:56 | 000,045,056 | ---- | M] (Sony Electronics, Inc.) -- C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe

PRC - [2007/09/19 15:09:58 | 000,311,296 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe

PRC - [2007/09/19 08:20:05 | 000,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe

PRC - [2007/09/05 13:53:48 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

PRC - [2007/08/28 20:27:12 | 000,131,072 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

PRC - [2007/08/28 20:27:10 | 000,192,512 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

PRC - [2007/08/15 00:05:18 | 000,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

PRC - [2007/08/15 00:05:18 | 000,100,472 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe

PRC - [2007/06/28 12:52:48 | 000,274,432 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

PRC - [2007/06/15 16:45:20 | 000,469,112 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

PRC - [2007/01/04 23:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

PRC - [2006/10/23 05:40:14 | 000,046,200 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe

PRC - [2006/10/23 03:24:02 | 000,620,152 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

========== Modules (SafeList) ==========

MOD - [2010/07/15 14:37:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Jim\Desktop\OTL.exe

MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll

MOD - [2008/01/20 22:24:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx

MOD - [2007/10/30 15:03:22 | 000,208,896 | ---- | M] (Broadcom Corporation.) -- C:\Windows\System32\BtMmHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)

SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)

SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2009/12/11 04:37:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/09/24 21:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)

SRV - [2008/03/05 16:45:28 | 000,106,496 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)

SRV - [2008/03/05 16:45:26 | 000,118,784 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe -- (CASprint)

SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/10/31 13:40:08 | 000,125,440 | ---- | M] (ArcSoft, Inc.) [Auto | Running] -- C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe -- (uCamMonitor)

SRV - [2007/09/29 01:11:44 | 000,292,128 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe -- (VcmIAlzMgr)

SRV - [2007/09/23 15:36:38 | 002,818,048 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)

SRV - [2007/09/20 22:52:32 | 000,079,136 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe -- (VcmXmlIfHelper)

SRV - [2007/09/05 13:53:48 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2007/08/28 20:27:12 | 000,131,072 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)

SRV - [2007/08/28 20:27:10 | 000,192,512 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)

SRV - [2007/08/15 00:05:18 | 000,182,392 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)

SRV - [2007/08/09 04:51:32 | 000,499,712 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)

SRV - [2007/08/09 04:51:30 | 001,089,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-UCLS-UPnP) VAIO Media Content Collection (UPnP)

SRV - [2007/08/09 04:51:30 | 001,089,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP)

SRV - [2007/08/09 04:51:30 | 000,397,312 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-UCLS-HTTP) VAIO Media Content Collection (HTTP)

SRV - [2007/08/09 04:51:30 | 000,397,312 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP)

SRV - [2007/06/28 12:53:04 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)

SRV - [2007/06/28 12:52:48 | 000,274,432 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)

SRV - [2007/06/05 17:20:32 | 000,177,704 | ---- | M] () [Disabled | Stopped] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)

SRV - [2007/05/24 11:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2007/01/10 20:51:06 | 000,745,472 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe -- (VAIOMediaPlatform-UCLS-AppServer)

SRV - [2007/01/04 23:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)

SRV - [2006/12/14 06:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)

SRV - [2006/12/14 06:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)

SRV - [2006/12/14 05:46:16 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)

SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [On_Demand | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)

SRV - [2005/11/14 05:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Jim\AppData\Local\Temp\catchme.sys -- (catchme)

DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\MpFilter.sys -- (MpFilter)

DRV - [2010/03/25 21:30:22 | 000,042,368 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)

DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nuidfltr.sys -- (NuidFltr)

DRV - [2008/03/05 16:41:58 | 000,164,480 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)

DRV - [2008/03/05 16:41:58 | 000,149,000 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmx00.sys -- (swmx00) Sierra Wireless USB MUX Driver (#00)

DRV - [2008/03/05 16:41:58 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)

DRV - [2008/03/05 16:41:48 | 000,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctnullport.sys -- (Nmea)

DRV - [2008/03/05 16:36:22 | 000,032,408 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)

DRV - [2008/01/20 22:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)

DRV - [2008/01/20 22:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)

DRV - [2008/01/20 22:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)

DRV - [2008/01/20 22:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)

DRV - [2008/01/20 22:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)

DRV - [2008/01/20 22:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)

DRV - [2008/01/20 22:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)

DRV - [2008/01/20 22:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)

DRV - [2008/01/20 22:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)

DRV - [2008/01/20 22:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®

DRV - [2008/01/20 22:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)

DRV - [2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)

DRV - [2008/01/20 22:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)

DRV - [2008/01/20 22:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)

DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)

DRV - [2008/01/20 22:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)

DRV - [2008/01/20 22:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)

DRV - [2008/01/20 22:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)

DRV - [2008/01/20 22:23:22 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)

DRV - [2008/01/20 22:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)

DRV - [2008/01/20 22:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)

DRV - [2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)

DRV - [2008/01/20 22:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)

DRV - [2008/01/20 22:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)

DRV - [2008/01/20 22:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)

DRV - [2008/01/20 22:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)

DRV - [2007/11/16 10:01:53 | 000,818,688 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ti21sony.sys -- (ti21sony)

DRV - [2007/11/16 09:13:23 | 000,017,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)

DRV - [2007/11/16 09:13:19 | 000,099,880 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)

DRV - [2007/11/16 09:13:19 | 000,081,448 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)

DRV - [2007/11/16 09:12:00 | 000,028,464 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)

DRV - [2007/10/29 23:30:30 | 000,017,920 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ArcSoftKsUFilter.sys -- (ArcSoftKsUFilter)

DRV - [2007/10/16 08:28:34 | 000,073,472 | ---- | M] (Ricoh) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\R5U870FLx86.sys -- (R5U870FLx86)

DRV - [2007/10/16 08:28:34 | 000,043,904 | ---- | M] (Ricoh) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\R5U870FUx86.sys -- (R5U870FUx86)

DRV - [2007/10/12 18:04:40 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)

DRV - [2007/09/19 17:38:18 | 000,010,216 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\DMICall.sys -- (DMICall)

DRV - [2007/09/19 08:19:52 | 001,776,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)

DRV - [2007/09/18 23:30:44 | 002,222,080 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®

DRV - [2007/09/06 17:30:24 | 000,194,048 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)

DRV - [2007/09/06 08:24:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

DRV - [2007/09/06 08:23:59 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)

DRV - [2007/09/06 08:23:56 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)

DRV - [2007/09/06 08:23:56 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)

DRV - [2007/09/06 08:23:32 | 000,084,480 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2007/08/28 21:58:06 | 000,009,344 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SFEP.sys -- (SFEP)

DRV - [2007/05/24 20:36:21 | 000,128,104 | R--- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)

DRV - [2007/04/18 00:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi)

DRV - [2007/04/06 14:18:09 | 001,761,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2007/03/07 23:38:05 | 000,181,560 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)

DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)

DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)

DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)

DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)

DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)

DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)

DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)

DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)

DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)

DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)

DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)

DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)

DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)

DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)

DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)

DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)

DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)

DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)

DRV - [2006/11/01 16:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

IE - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data over 100 bytes]

IE - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/

IE - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

O1 HOSTS File: ([2010/07/13 00:21:13 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll (AOL LLC)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll (AOL LLC)

O3 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll (AOL LLC)

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [iSBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)

O4 - HKLM..\Run: [sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)

O4 - HKLM..\Run: [VAIO Center Access Bar] c:\program files\sony\VAIO Center Access Bar\VCAB.exe (Sony Electronics, Inc.)

O4 - HKLM..\Run: [VAIOSurvey] C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe ()

O4 - HKLM..\Run: [VWLASU] C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe (Sony Electronics, Inc.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)

O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()

O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll (AOL LLC)

O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.200

O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\System32\VESWinlogon.dll (Sony Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\VAIO CR Wallpaper Blue 1280x800.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\VAIO CR Wallpaper Blue 1280x800.jpg

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O35 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKU\S-1-5-21-650255816-1902990462-1267607324-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/15 14:37:06 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Jim\Desktop\OTL.exe

[2010/07/13 19:29:21 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2010/07/13 19:29:21 | 000,000,000 | ---D | C] -- C:\Users\Jim\AppData\Local\temp

[2010/07/13 19:28:32 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2010/07/13 19:20:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe

[2010/07/13 18:05:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun

[2010/07/13 18:05:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/07/13 18:04:53 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll

[2010/07/13 18:04:53 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe

[2010/07/13 18:04:53 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe

[2010/07/13 18:04:53 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe

[2010/07/13 18:04:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/07/13 15:51:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/07/13 15:32:59 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/07/13 15:25:03 | 000,000,000 | ---D | C] -- C:\Windows\pss

[2010/07/13 09:29:25 | 000,986,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winload.exe

[2010/07/13 00:08:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2010/07/12 17:37:05 | 000,000,000 | ---D | C] -- C:\Windows\RestoreSafeDeleted

[2010/07/12 17:30:34 | 000,000,000 | ---D | C] -- C:\Users\Jim\Documents\RegRun2

[2010/07/12 16:41:07 | 000,000,000 | ---D | C] -- C:\Users\Jim\AppData\Roaming\Malwarebytes

[2010/07/12 16:32:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

[2010/07/12 16:32:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

[2010/07/12 16:32:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2010/07/12 16:32:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/07/12 16:09:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2010/07/12 16:09:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2010/07/12 16:07:41 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2010/06/24 03:00:23 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe

[2010/06/24 03:00:23 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll

[2010/06/24 03:00:23 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll

[2010/06/23 09:09:59 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\System32\GameUXLegacyGDFs.dll

[2010/06/23 09:09:59 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Apphlpdm.dll

========== Files - Modified Within 30 Days ==========

[2010/07/15 14:39:56 | 001,835,008 | -HS- | M] () -- C:\Users\Jim\NTUSER.DAT

[2010/07/15 14:39:47 | 000,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{6C050725-BE1B-4105-9710-DE0396DA7FD9}.job

[2010/07/15 14:37:31 | 000,293,376 | ---- | M] () -- C:\Users\Jim\Desktop\4sfzn8c1.exe

[2010/07/15 14:37:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Jim\Desktop\OTL.exe

[2010/07/15 14:34:51 | 000,002,473 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[2010/07/15 14:34:42 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/07/15 14:34:40 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/07/15 14:34:40 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/07/15 14:34:39 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/07/15 14:34:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/07/15 14:34:25 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys

[2010/07/14 15:12:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/07/14 11:17:37 | 000,703,388 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2010/07/14 11:17:37 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2010/07/14 11:17:37 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2010/07/14 10:12:47 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat

[2010/07/14 10:12:45 | 000,524,288 | -HS- | M] () -- C:\Users\Jim\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms

[2010/07/14 10:12:45 | 000,065,536 | -HS- | M] () -- C:\Users\Jim\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf

[2010/07/14 10:12:40 | 001,450,708 | -H-- | M] () -- C:\Users\Jim\AppData\Local\IconCache.db

[2010/07/13 19:35:39 | 000,000,000 | ---- | M] () -- C:\Users\Jim\defogger_reenable

[2010/07/13 19:27:03 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini

[2010/07/13 18:04:40 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll

[2010/07/13 18:04:40 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe

[2010/07/13 18:04:40 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe

[2010/07/13 18:04:40 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe

[2010/07/13 00:30:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2010/07/13 00:30:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2010/07/13 00:21:13 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2010/07/12 18:15:30 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2010/07/12 17:31:41 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt

[2010/07/12 17:31:41 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt

[2010/07/12 17:31:41 | 000,000,002 | R--- | M] () -- C:\Windows\winstart.bat

[2010/07/12 16:32:24 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/07/12 15:56:56 | 227,748,134 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010/06/30 03:00:32 | 000,000,942 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk

========== Files Created - No Company Name ==========

[2010/07/15 14:37:27 | 000,293,376 | ---- | C] () -- C:\Users\Jim\Desktop\4sfzn8c1.exe

[2010/07/13 20:38:54 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys

[2010/07/13 19:35:39 | 000,000,000 | ---- | C] () -- C:\Users\Jim\defogger_reenable

[2010/07/13 00:30:16 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS

[2010/07/13 00:30:16 | 000,000,000 | RHS- | C] () -- C:\IO.SYS

[2010/07/12 17:31:41 | 000,000,002 | R--- | C] () -- C:\Windows\winstart.bat

[2010/07/12 16:32:24 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/07/12 16:09:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe

[2010/07/12 16:09:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2010/07/12 16:09:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2010/07/12 16:09:22 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe

[2010/07/12 16:09:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2010/06/30 03:00:32 | 000,000,942 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Security Essentials.lnk

[2010/04/09 09:46:29 | 000,000,028 | ---- | C] () -- C:\Windows\pdf995.ini

[2010/04/09 09:46:01 | 000,051,716 | ---- | C] () -- C:\Windows\System32\pdf995mon.dll

[2010/04/09 09:46:01 | 000,000,142 | ---- | C] () -- C:\Windows\wpd99.drv

[2009/12/14 11:30:04 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/12/11 05:02:28 | 000,019,968 | ---- | C] () -- C:\Windows\System32\Cpuinf32.dll

[2009/12/11 05:00:21 | 000,344,064 | ---- | C] () -- C:\Windows\System32\SSMSIppCustom.dll

[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2008/03/05 16:41:58 | 000,024,840 | ---- | C] () -- C:\Windows\System32\drivers\swmsflt.sys

[2008/02/16 19:14:36 | 000,000,000 | ---- | C] () -- C:\Windows\VAIOUpdt.INI

[2008/02/16 18:02:48 | 000,910,464 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll

[2008/02/16 18:02:48 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll

[2008/02/16 18:02:48 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1295.dll

[2008/02/16 18:01:16 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

[2007/10/30 14:44:52 | 000,393,216 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll

[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2001/11/14 17:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

< End of report >

___ End of OTL LOG ___

OTL Extras logfile created on: 7/15/2010 2:38:37 PM - Run 1

OTL by OldTimer - Version 3.2.9.0 Folder = C:\Users\Jim\Desktop

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18928)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 103.65 Gb Total Space | 72.21 Gb Free Space | 69.67% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JIM-PC

Current User Name: Jim

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-650255816-1902990462-1267607324-1000\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-650255816-1902990462-1267607324-1000]

"EnableNotifications" = 0

"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{20409595-8550-4789-A861-9F3BAD56066D}" = protocol=6 | dir=in | app=c:\windows\system32\spoolsv.exe |

"{3F9FE594-27E7-4933-9668-C2D11B31B8AE}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{4DA21827-56C2-4D8D-B4A8-59F946488493}" = protocol=17 | dir=in | app=c:\program files\sony\locationfreeplayer\lfpc3\lfpc3.exe |

"{5BE308FF-8D4F-49A5-A273-3FCC26142791}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{718EA42B-52FC-4F98-ACD9-5B1A81D85BFF}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |

"{74D9DD1D-57BA-4A50-89E6-B6E3CD6A104A}" = protocol=6 | dir=in | app=c:\windows\system32\spoolsv.exe |

"{82D72B77-A279-44E3-8377-8705BC89B347}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aolacsd.exe |

"{877DACFB-2446-4349-A907-9BA744C9E1F9}" = protocol=17 | dir=in | app=c:\windows\system32\spoolsv.exe |

"{88AA3256-EA31-4139-ACA4-CB9F1D8F2F9F}" = protocol=17 | dir=in | app=c:\windows\system32\spoolsv.exe |

"{C400A02E-95B7-43AE-8A0A-74396DC46E10}" = protocol=6 | dir=in | app=c:\program files\sony\locationfreeplayer\lfpc3\lfpc3.exe |

"{E0A1F7DC-8CCB-492B-ADD1-422ACFBDE0CA}" = protocol=6 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |

"{E92F867E-497F-4230-BABA-850AE9016777}" = protocol=17 | dir=in | app=c:\program files\common files\aol\acs\aoldial.exe |

"TCP Query User{CF4D8DF0-610A-475B-A285-CB7309B667DA}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

"UDP Query User{4F0587EA-B03B-4DB9-9F7A-FBB04CA1A578}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{017FDD1B-A971-4084-B652-584181002812}" = VAIO Content Metadata Intelligent Analyzing Manager

"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony Video Shared Library

"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.1.0.2200

"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module

"{15D5C238-4C2E-4AEA-A66D-D6989A4C586B}" = VAIO Launcher

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1B500D37-E7CF-480B-8054-8A563594EC4E}" = VAIO OOBE and Welcome Center

"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for VAIO

"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0

"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{23825B69-36DF-4DAD-9CFD-118D11D80F16}" = VAIO Content Folder Setting

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{28549656-3CB3-44B6-9FAB-925A18DAC796}" = VAIO Movie Story

"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility

"{34B37A74-125E-4406-87BA-E4BD3D097AE5}" = VAIO Survey

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{4203C377-8F5B-4B3C-9096-6FC7C2CB9BC5}" = VAIO Content Metadata XML Interface Library

"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 3

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4DCEA9C1-4D6E-41BF-A854-28CFA8B56DBF}" = Click to Disc Editor

"{4EA55D20-27FB-45D7-8726-147E8A5F6C62}" = VAIO MusicBox

"{500162A0-4DD5-460A-BAFD-895AAE48C532}" = VAIO Media Content Collection 6.0

"{560F6B2E-F0DF-44E5-8190-A4A161F0E205}" = VAIO Media 6.0

"{56345504-DE57-4528-A18B-A567D1E52928}" = ArcSoft Magic-i Visual Effects

"{5855C127-1F20-404D-B7FB-1FD84D7EAB5E}" = VAIO Media Redistribution 6.0

"{596BED91-A1D8-4DF1-8CD1-1C777F7588AC}" = VAIO DVD Menu Data Basic

"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service

"{6332AFF1-9D9A-429C-AA03-F82749FA4F49}" = SonicStage Mastering Studio

"{63A6E9A9-A190-46D4-9430-2DB28654AFD8}" = Norton 360

"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works

"{68A69CFF-130D-4CDE-AB0E-7374ECB144C8}" = Click to Disc

"{69351E9E-23ED-41D5-B146-EDBF83C63B66}" = VAIO Content Metadata Manager Setting

"{6B1F20F2-6321-4669-A58C-33DF8E7517FF}" = VAIO Entertainment Platform

"{6D2576EC-A0E9-418A-A09A-409933A3B6F4}" = VAIO Camera Capture Utility

"{6FA8BA2C-052B-4072-B8E2-2302C268BE9E}" = VAIO Movie Story Template Data

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{72042FA6-5609-489F-A8EA-3C2DD650F667}" = VAIO Control Center

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{785EB1D4-ECEC-4195-99B4-73C47E187721}" = VAIO Media Integrated Server 6.2

"{802889F8-6AF5-45A5-9764-CA5B999E50FC}" = VAIO Power Management

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ECB8220-F419-4BEB-9596-97033C533702}" = QuickBooks Simple Start 2008

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90AACECD-1E42-4D22-ABAD-7FB9B67B262D}" = H&R Block Premium + Efile + State 2009

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{96D0B6C6-5A72-4B47-8583-A87E55F5FE81}" =

"{97F4D62E-5AEB-4649-BABF-4712C6EF6845}" = DeductionPro 2009

"{98FC7A64-774B-49B5-B046-4B4EBC053FA9}" = VAIO MusicBox Sample Music

"{9C1C8A04-F8CA-4472-A92D-4288CE32DE86}" = SonicStage Mastering Studio Plugins

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A63E7492-A0BC-4BB9-89A7-352965222380}" = VAIO Original Function Setting

"{A7DA438C-2E43-4C20-BFDA-C1F4A6208558}" = Setting Utility Series

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AA346790-8BF2-4826-9E30-18E9BB547663}" = VAIO Content Metadata Manager Setting

"{ABF29EC7-47C1-4C63-8FE7-3824FD66F357}" = VAIO Content Metadata Intelligent Analyzing Manager

"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Fran

Elise · July 15, 2010

Hello again,

Please post me also the Combofix log (can be found at c:\log.txt). Note that it isn't advised to run combofix on your own. this is a very powerful tool and can do tremendous damage to your system.

After running the following fix, you may reconnect to the internet. Please let me know if the MBAM messages are gone now.

OTL FIX

------------

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the

textbox. Do not include the word "Code"

:otl
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

:commands
[emptytemp]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click .
A report will open. Copy and Paste that report in your next reply.

MrHappy · July 15, 2010

OTL fix ran as instructed and log is below. I've included the combofix log from when it was run a few days ago (prior to this thread being started). I've used it in the past on harder to rid items and have had great success (my background is IT so I understand the warnings completely) but unfortunately this time it didn't resolve the issue. I've re-enabled internet access and will be watching to see if the MBAM notices resume. They were random (but always within 24 hrs) so I'll keep this thread updated. If you need me to run ComboFix again today to repost that log instead just let me know. Thank you again!

--- OTL LOG following fix code supplied ---

All processes killed

========== OTL ==========

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Jim

->Temp folder emptied: 4440 bytes

->Temporary Internet Files folder emptied: 9226890 bytes

->Java cache emptied: 133775 bytes

->Flash cache emptied: 1044 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 73382242 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 108927128 bytes

Total Files Cleaned = 183.00 mb

OTL by OldTimer - Version 3.2.9.0 log created on 07152010_154117

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

--- End of OTL LOG ---

--- ComboFix log from a few days ago prior to this thread being opened ---

ComboFix 10-07-12.06 - Jim 07/13/2010 19:21:56.4.2 - x86

Microsoft

Elise · July 15, 2010

Please keep me posted on the MBAM warnings.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "JDK 6 Update 21 (JDK or JRE)".
Click the "Download JRE" button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the Java Setup - Welcome window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Click on to download the ESET Smart Installer. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  Note - when ESET doesn't find any threats, no report will be created.
12. Push the button.
13. Push

MrHappy · July 15, 2010

I had actually run JavaRA to remove all old Java (after combofix I believe) and was running 6r20 but removed it and installed 6r21 (though I don't believe 21 was a security update but I could be wrong on that). Have previously run ESET as well but am doing so again at the present. I'll post the results of that scan as soon as it completes. Thank you again so much for your continued help!!

MrHappy · July 15, 2010

I checked my MBAM protection logs and noticed this entry following the reboot from earlier today and am a bit concerned....

15:41:27 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent ALLOW

15:45:08 Jim MESSAGE Protection started successfully

15:45:12 Jim MESSAGE IP Protection started successfully

Why would that be set to allow? I am the only one who has access to this machine and definitely did not set it to allow. Also, there is nothing listed in the Ignore List within MBAM. If this is set to allow the popup warning will never occur, correct? (Note that I did not get an MBAM popup when this apparently happened and only noticed this due to the log entry) This is one of the 3 items that was previously popping up.

As for ESET, it found no threats with all options checked. I'm going to leave the PC on and running to check for any more MBAM warnings or log entries. Any other thoughts or tasks you'd like me to perform? Do you know how to disallow that entry from above?

Thank you again.

MrHappy · July 16, 2010

FYI, I am still getting (at least) the ERNEL32.DLL infection popup from MBAM. The other 2 have not shown up yet but with time they usually do. MBAM entries in the protection log are below:

20:37:45 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE

20:37:46 Jim ERROR Quarantine failed: UtilityReadFile failed with error code 2

20:37:56 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

I'll await your next steps. Thank you.

Elise · July 16, 2010

Please download a new copy of combofix and run it (instructions below). Its important not to use any old copy you still may have.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

MrHappy · July 16, 2010

MBAM and MS Security Essentials disabled during the scan. ComboFix run as administrator (system is Vista but the user is an admin, fyi, however I explicitly ran it as admin just in case) Log is below:

ComboFix 10-07-15.03 - Jim 07/16/2010 10:10:42.5.2 - x86

Microsoft

Elise · July 16, 2010

Could you please launch MBAM, update it and run a full scan? Post me the resulting log.

MrHappy · July 16, 2010

I actually ran one last night with no detections (it only pops up finding the ernel32.dll file but never during a full scan and the file doesnt exist on the drive even by showing all files and checking with attrib) but I've updated it to the most current since yesterday evening and am running it again. Will post the results as soon as it completes.

Elise · July 16, 2010

Okay, if nothing is detected, please run RootRepeal as instructed.

ROOTREPEAL

-------------

We need to check for rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Direct Download (RECOMMENDED)

[*]Zip Mirrors

Primary Mirror

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

Primary Mirror

[*]Open on your desktop.

[*]Click the tab.

[*]Click the button.

[*]Check all seven boxes:

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

MrHappy · July 16, 2010

When attempting to run RootRepeal it begins, runs for a while then a small window pops up but nothing is in the window and it is completely transparent. I can move it around the screen (and it just shows whatever is behind it on the background) If I click anywhere on the window it closes and then rootrepeal briefly says non-responsive and closes itself. Am I able to run this in safe mode as an attempt to get it to complete?

Elise · July 16, 2010

Yes, please run it in safe mode.

MrHappy · July 16, 2010

Unfortunately that was even less productive. In safe mode it causes an instant blue screen of death (page fault in unpaged area for roorrepeal.sys). Tried it twice, once as admin once by just running the file normally. It at least runs for a while in standard mode but closes before it ever finishes scanning somewhere nested in the c:\Windows\WinSXS folder (or perhaps after, it's kind of hard to tell) I do not normally get any BSOD on this laptop otherwise, fyi.

MrHappy · July 16, 2010

Sorry, I meant to type rootrepeal.sys not roorrepeal.sys.

Elise · July 17, 2010

Lets try something else in that case. Just because a rootkit scanner BSODs doesn't mean you have a problem with your computer. Because a rootkit scanner scans kernel processes, it can make the system unstable. :angry:

For the following steps, make sure to download a new copy of combofix!

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Rootkit::
C:\WINDOWS\SYSTEM32\ERNEL32.DLL
C:\USERS\JIM\APPDATA\LOCAL\TEMP\WSCSVC32.EXE

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

MrHappy · July 17, 2010

Done and done Below is the ComboFix log...

ComboFix 10-07-15.05 - Jim 07/17/2010 11:02:14.6.2 - x86

Microsoft

MrHappy · July 17, 2010

Also, I just checked my Malwarebytes log following the reboot after ComboFix and have a new entry not previously seen:

11:02:19 Jim DETECTION C:\WINDOWS\SYSTEM32\SWIN32.EXE Trojan.Agent ALLOW

Nothing popped up (MBAM was closed during ComboFix scan by the way) and I certainly didn't allow it.

Elise · July 17, 2010

Can you give me the exact message of these MBAM messages?

MrHappy · July 17, 2010

That is the exact message from the protection logs. For the ernel32.dll sometimes it will pop up saying MBAM has found a malicious process and give me the option to quarantine or allow but recently it just appears as a message in the log (with no popup occurring) Here's logs from Thurs and today with entries..

Thursday:

14:37:04 Jim MESSAGE Protection started successfully

14:37:08 Jim MESSAGE IP Protection started successfully

15:18:00 Jim ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007

15:41:27 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent ALLOW

15:45:08 Jim MESSAGE Protection started successfully

15:45:12 Jim MESSAGE IP Protection started successfully

16:06:24 Jim MESSAGE IP Protection stopped

16:06:24 Jim MESSAGE IP Protection started successfully

16:18:03 Jim MESSAGE Scheduled update executed successfully

16:18:04 Jim MESSAGE IP Protection stopped

16:18:08 Jim MESSAGE Database updated successfully

16:18:09 Jim MESSAGE IP Protection started successfully

17:18:04 Jim MESSAGE Scheduled update executed successfully

17:18:05 Jim MESSAGE IP Protection stopped

17:18:14 Jim MESSAGE Database updated successfully

17:18:15 Jim MESSAGE IP Protection started successfully

17:34:47 Jim MESSAGE Protection started successfully

17:34:50 Jim MESSAGE IP Protection started successfully

20:37:45 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE

20:37:46 Jim ERROR Quarantine failed: UtilityReadFile failed with error code 2

20:37:56 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

20:38:31 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

20:40:50 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

21:06:46 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

21:38:18 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

22:38:18 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY

And today's so far...

10:56:46 Jim MESSAGE Protection started successfully

10:56:50 Jim MESSAGE IP Protection started successfully

11:02:19 Jim DETECTION C:\WINDOWS\SYSTEM32\SWIN32.EXE Trojan.Agent ALLOW

11:11:48 Jim MESSAGE Protection started successfully

11:11:52 Jim MESSAGE IP Protection started successfully

11:18:03 Jim MESSAGE Scheduled update executed successfully

11:18:04 Jim MESSAGE IP Protection stopped

11:18:08 Jim MESSAGE Database updated successfully

11:18:09 Jim MESSAGE IP Protection started successfully

11:21:35 Jim MESSAGE Protection started successfully

11:21:39 Jim MESSAGE IP Protection started successfully

14:05:50 Jim MESSAGE Protection started successfully

14:05:54 Jim MESSAGE IP Protection started successfully

14:18:05 Jim MESSAGE Scheduled update executed successfully

14:18:06 Jim MESSAGE IP Protection stopped

14:18:10 Jim MESSAGE Database updated successfully

14:18:11 Jim MESSAGE IP Protection started successfully

The SWIN32.EXE is new, I haven't seen that prior to today and it didn't pop up, just showed in the logs. The ERNEL32.DLL does both (or has in the past).

TDSS remnants - ERNEL32.DLL removal help please

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information