Jump to content

ent

Honorary Members
  • Posts

    58
  • Joined

  • Last visited

Reputation

0 Neutral
  1. UPDATE: I just re-installed IE8 and it did not change anything. UPDATE 2: I managed to find a stand-alone executable at Microsoft that allowed me to install the WannaCry patch. It seemed to work, but I still have the problem of being unable to run Windows Update and hence, unable to get virus updates and future fixes. (And the problem of the re-appearing registry key.) Does anyone have any suggestions?
  2. I'm a Windows XP user who has always gotten virus updates and occasional patches from Microsoft. Seemingly, on the very day that they announced the patch for the WannaCry malware, my Windows Update option stopped working. I can view any other websites with IE8, but when I try to do a Windows update, I get the following error message: Internet Explorer cannot display the webpage When I run MS Security Essentials (with its now 3-week old virus definitions), it finds nothing. I downloaded and ran combofix, but it found nothing and fixed nothing. When I run the free Malwarebytes, it repeatedly find this key: PUM.Optional.ProxyHijacker, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5555, , [021061e0ccdd2610f72bd3308a796997] I can delete the registry key, but it always comes back in a matter of hours. Where should I go from here? Thanks!
  3. I'm sorry, but I described the problem incorrectly. It's the Malicious Website Protection that I can't get enabled. Does that change your analysis? Regarding MS Security Essentials, they say they will continue to provide virus definition updates until July, 2015. So it shouldn't strictly be necessary to switch to other virus software before then. Of course, that also raises the question of whether other virus software products will support XP, and if they do, how long they will continue to do so in the future.
  4. I'm having the same problem that others are -- I cannot enable the self-protection module. I've already run the Clean Removal tool and the diagnostics. Attached are the results. One question while I'm here... The Clean Removal instructions tell you to disable and enable your virus protection at various points, But it's hard to enable protection when you've just removed it. Are you suggesting that we need to use another virus protection product in addition to MBAM? The whole reason that I switched to the paid, premium version was so that I could get rid of Microsoft Security Essentials, which has just started hanging my computer in the last couple of days. Is MBAM not virus protection? Why should I need another product? Thanks! FRST.txt Addition.txt
  5. Combofix removed. SecurityCheck already gone. Already on Java 6,26. Not seeing any problems.
  6. I have Firefox installed but not Chrome. (I also have IE7 installed, if that matters.) One question... Why does combofix create and leave lying on my desktop an IE7 executable? It's not a shortcut. When I right click it, I get the options: Open Home Page / Start Without Add-ons / Create Shortcut / Delete / Rename / Properties It did the same thing the last time I ran it. Here are the logs. The DDS Attach.txt file is attached. Thanks. ================================================== ================================================== ComboFix 11-07-03.01 - Bill Entwistle 07/03/2011 18:47:56.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.535 [GMT -5:00] Running from: c:\documents and settings\Bill Entwistle\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Bill Entwistle\Desktop\CFScript.txt AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome.manifest c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\chrome\chrome_user.jar c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\defaults\preferences\defaults.js c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\install.rdf . . ((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 ))))))))))))))))))))))))))))))) . . 2011-07-02 03:59 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{58F68A57-2A46-4E2E-A50B-E24D9290F61A}\mpengine.dll 2011-06-30 00:12 . 2011-06-30 00:12 -------- d-----w- c:\program files\Common Files\Java 2011-06-29 02:23 . 2011-06-29 02:24 -------- d-----w- c:\program files\Common Files\Adobe 2011-06-28 06:38 . 2011-06-28 13:11 -------- d-----w- c:\documents and settings\Bill Entwistle\.jbidwatcher 2011-06-28 06:00 . 2011-06-28 06:00 -------- d-----w- c:\documents and settings\Bill Entwistle\Local Settings\Application Data\Programs 2011-06-26 06:04 . 2011-06-26 06:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2011-06-19 10:01 . 2011-06-19 10:01 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ArcSoft 2011-06-19 10:00 . 2011-06-19 10:00 -------- d-----w- c:\documents and settings\Admin\Application Data\Logitech 2011-06-19 10:00 . 2011-06-19 10:01 -------- d-----w- c:\documents and settings\Admin\Application Data\ArcSoft 2011-06-19 05:26 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2011-06-15 00:16 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys 2011-06-11 20:22 . 2011-06-11 20:22 -------- d-----w- c:\program files\Windows Defender 2011-06-09 03:15 . 2011-06-29 02:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-29 14:11 . 2009-11-15 05:38 39984 ------w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-25 00:14 . 2009-10-02 22:36 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-17 04:15 . 2011-05-17 04:15 53248 ------r- c:\documents and settings\Bill Entwistle\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe 2011-05-17 04:13 . 2011-05-17 04:13 16400 ------w- c:\windows\system32\drivers\LNonPnP.sys 2011-05-04 09:52 . 2011-03-10 09:13 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-04 07:25 . 2011-03-10 09:16 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-05-02 15:31 . 2004-08-11 21:12 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25 . 2004-08-11 21:00 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19 . 2004-08-11 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 15:51 . 2004-08-11 21:00 832512 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 15:51 . 2004-08-11 21:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 15:51 . 2004-08-11 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-04-25 15:51 . 2004-08-11 21:00 17408 ----a-w- c:\windows\system32\corpol.dll 2011-04-25 12:01 . 2004-08-11 21:00 389120 ------w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2004-08-11 21:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys . . ((((((((((((((((((((((((((((( SnapShot@2011-06-26_05.52.50 ))))))))))))))))))))))))))))))))))))))))) . + 2011-06-29 02:20 . 2011-06-29 02:20 240288 c:\windows\system32\Macromed\Flash\FlashUtil10t_Plugin.exe + 2011-06-30 00:10 . 2011-05-04 09:52 157472 c:\windows\system32\javaws.exe + 2011-06-30 00:10 . 2011-05-04 09:52 145184 c:\windows\system32\javaw.exe - 2011-03-10 09:16 . 2011-03-10 09:16 145184 c:\windows\system32\javaw.exe + 2011-06-30 00:10 . 2011-05-04 09:52 145184 c:\windows\system32\java.exe - 2011-03-10 09:16 . 2011-03-10 09:16 145184 c:\windows\system32\java.exe + 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll + 2011-06-30 00:12 . 2011-06-30 00:12 203776 c:\windows\Installer\6d2d0.msi - 2011-03-16 21:17 . 2011-06-09 03:15 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll + 2011-03-16 21:17 . 2011-06-29 02:20 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll + 2011-06-29 02:24 . 2011-06-29 02:24 2295808 c:\windows\Installer\40c56.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920] "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648] "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator\Application Data\lpuninstall.exe [2011-4-3 9319112] . c:\documents and settings\Bill Entwistle\Start Menu\Programs\Startup\ CapsUnlock.lnk - c:\program files\CapsUnlock\CapsUnlock.exe [2007-4-25 13312] FlashTray.lnk - c:\program files\FlashTray Pro\FlashTray.exe [2007-5-7 555520] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-1-14 344064] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2010-10-28 10:13 64592 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "g:\\WS FTP\\WS_FTP95.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\TeraTerm\\ttermpro.exe"= "c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"= "c:\\Program Files\\Seagate\\SeagateManager\\FreeAgent Status\\stxmenumgr.exe"= "c:\\Program Files\\Dell Support\\DSAgnt.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [5/16/2011 11:12 PM 10448] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/20/2011 8:07 PM 105592] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S2 winmgmt32;Windows Management Instrumentation ;c:\windows\system32\msacm32.exe --> c:\windows\system32\msacm32.exe [?] S3 LW;LW;c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe --> c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe [?] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - JAVAQUICKSTARTERSERVICE . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}] 2007-09-19 16:32 7680 ------w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder . 2011-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 18:34] . 2011-07-03 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] . 2011-06-30 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com TCP: DhcpNameServer = 192.168.1.254 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-07-03 18:53 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap] @DACL=(02 0000) @="bootstrap.application.1" . [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap] @DACL=(02 0000) @="bootstrap.xaml.1" . [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap] @DACL=(02 0000) @="bootstrap.xbap.1" . [HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap] @DACL=(02 0000) @="bootstrap.xps.1" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(748) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\windows\system32\igfxdev.dll . Completion time: 2011-07-03 18:56:16 ComboFix-quarantined-files.txt 2011-07-03 23:56 . Pre-Run: 47,384,379,392 bytes free Post-Run: 47,383,592,960 bytes free . - - End Of File - - 437E6A4A01890D04975D8125B859DE13 ================================================== ================================================== . DDS (Ver_2011-06-23.01) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26 Run by Bill Entwistle at 18:58:44 on 2011-07-03 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.463 [GMT -5:00] . AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Logitech\SetPointP\SetPoint.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\CapsUnlock\CapsUnlock.exe C:\Program Files\FlashTray Pro\FlashTray.exe C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE C:\WINDOWS\system32\SNDVOL32.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Symantec AntiVirus\VPC32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1307775913765 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{579E98ED-CD52-4E61-B524-E6FBBB03B165} : DhcpNameServer = 192.168.1.254 Notify: igfxcui - igfxdev.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe . ============= SERVICES / DRIVERS =============== . R1 mfehidk;mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 213640] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-5-16 10448] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-20 105592] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110701.002\naveng.sys [2011-7-1 86008] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110701.002\navex15.sys [2011-7-1 1542392] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S2 winmgmt32;Windows Management Instrumentation ;c:\windows\system32\msacm32.exe --> c:\windows\system32\msacm32.exe [?] S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?] S3 mferkdk;mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-31 34216] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464] S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520] . =============== File Associations =============== . .txt=TextPad.txt . =============== Created Last 30 ================ . 2011-07-02 03:59:12 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{58f68a57-2a46-4e2e-a50b-e24d9290f61a}\mpengine.dll 2011-06-28 06:38:12 -------- d-----w- c:\documents and settings\bill entwistle\.jbidwatcher 2011-06-28 06:00:22 -------- d-----w- c:\documents and settings\bill entwistle\local settings\application data\Programs 2011-06-26 05:43:52 -------- d-sha-r- C:\cmdcons 2011-06-26 05:41:52 98816 ----a-w- c:\windows\sed.exe 2011-06-26 05:41:52 518144 ----a-w- c:\windows\SWREG.exe 2011-06-26 05:41:52 256000 ----a-w- c:\windows\PEV.exe 2011-06-26 05:41:52 208896 ----a-w- c:\windows\MBR.exe 2011-06-19 05:26:07 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll 2011-06-15 00:16:28 105472 ------w- c:\windows\system32\dllcache\mup.sys 2011-06-09 03:15:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-06-06 17:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll . ==================== Find3M ==================== . 2011-05-29 14:11:30 39984 ------w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-17 04:13:51 16400 ------w- c:\windows\system32\drivers\LNonPnP.sys 2011-05-04 09:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-04 07:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll 2011-04-25 12:01:21 389120 ------w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys . ============= FINISH: 18:59:17.67 =============== Attach.zip
  7. A couple more notes... I just updated Java, and I ran another scan with the AVG bootable disc scanner and it found nothing.
  8. ESET found more bugs. Scan results below. Last night and today, Symantec also found some malware files. Here are the results in CSV format. CSV seems to be the only way to export log results from Symantec. Let me know if this is a problem. I'm not seeing any obvious symptoms of infection at this time. Thanks! ================================================== Risk,Action,Count,Filename,Risk Type,Original Location,Computer,User,Status,Current Location,Primary Action,Secondary Action,Logged By,Action Description,Date Trojan.Gen.2,Quarantined,2,A0036175.dll,File,C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP526\,TUCKER,TUCKER\Bill Entwistle,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,6/29/2011 10:16:16 AM Trojan.Gen.2,Quarantined,2,A0034022.dll,File,C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP481\,TUCKER,TUCKER\Bill Entwistle,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,6/29/2011 10:13:55 AM Adware.DateManager,Quarantined,2,A0037360.exe,Adware,C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP532\,TUCKER,TUCKER\SYSTEM,Infected,Quarantine,Quarantine,Leave alone (log only),Auto-Protect scan,The file was quarantined successfully.,6/29/2011 12:33:56 AM ================================================== ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745) # OnlineScanner.ocx=1.0.0.6526 # api_version=3.0.2 # EOSSerial=d459dbbf1200f34c852d19b71234cbc2 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-06-19 05:17:01 # local_time=2011-06-19 12:17:01 (-0600, Central Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 16774142 0 1 202474 202474 0 0 # compatibility_mode=5889 16768381 100 100 543645 148278136 0 620590 # compatibility_mode=8192 67108863 100 0 48332503 48332503 0 0 # scanned=97882 # found=4 # cleaned=4 # scan_time=3231 C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\RECYCLER\S-1-5-21-3238264531-3539326320-3744746308-1005\Dc4.dllXXX a variant of Win32/Kryptik.OKQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\system32\lpk32.dll a variant of Win32/Kryptik.OKQ trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745) # OnlineScanner.ocx=1.0.0.6526 # api_version=3.0.2 # EOSSerial=d459dbbf1200f34c852d19b71234cbc2 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-06-19 06:54:17 # local_time=2011-06-19 01:54:17 (-0600, Central Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 16774142 0 1 208528 208528 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 48338557 48338557 0 0 # scanned=98159 # found=1 # cleaned=1 # scan_time=3012 C:\Documents and Settings\Bill Entwistle\Local Settings\temp\NOD1969.tmp a variant of Win32/Kryptik.OKQ trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C # version=7 # iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745) # OnlineScanner.ocx=1.0.0.6526 # api_version=3.0.2 # EOSSerial=d459dbbf1200f34c852d19b71234cbc2 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-06-25 07:16:46 # local_time=2011-06-25 02:16:46 (-0600, Central Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 48901661 48901661 0 0 # scanned=100250 # found=0 # cleaned=0 # scan_time=2859 # version=7 # iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745) # OnlineScanner.ocx=1.0.0.6526 # api_version=3.0.2 # EOSSerial=d459dbbf1200f34c852d19b71234cbc2 # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-06-29 03:46:09 # local_time=2011-06-29 10:46:09 (-0600, Central Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 49234257 49234257 0 0 # scanned=103366 # found=2 # cleaned=2 # scan_time=3224 C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP526\A0036173.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP526\A0036174.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C ================================================== Results of screen317's Security Check version 0.99.17 Windows XP Service Pack 3 Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! ESET Online Scanner v3 Symantec AntiVirus Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: MVPS Hosts File Malwarebytes' Anti-Malware CCleaner Java 6 Update 22 Out of date Java installed! Adobe Flash Player 10.3.181.26 Adobe Reader X (10.1.0) Mozilla Firefox (x86 en-US..) Mozilla Thunderbird (3.1.11) ```````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSMpEng.exe Windows Defender MSASCui.exe Symantec AntiVirus DefWatch.exe Symantec AntiVirus Rtvscan.exe ESET ESET Online Scanner OnlineCmdLineScanner.exe Windows Defender MsMpEng.exe Windows Defender MSASCui.exe ``````````End of Log````````````
  9. Almost forgot. Here's my TDSSKiller log from earlier today. ================================================== 2011/06/25 13:18:51.0796 2764 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15 2011/06/25 13:18:52.0875 2764 ================================================================================ 2011/06/25 13:18:52.0875 2764 SystemInfo: 2011/06/25 13:18:52.0875 2764 2011/06/25 13:18:52.0875 2764 OS Version: 5.1.2600 ServicePack: 3.0 2011/06/25 13:18:52.0875 2764 Product type: Workstation 2011/06/25 13:18:52.0875 2764 ComputerName: TUCKER 2011/06/25 13:18:52.0875 2764 UserName: Bill Entwistle 2011/06/25 13:18:52.0875 2764 Windows directory: C:\WINDOWS 2011/06/25 13:18:52.0875 2764 System windows directory: C:\WINDOWS 2011/06/25 13:18:52.0875 2764 Processor architecture: Intel x86 2011/06/25 13:18:52.0875 2764 Number of processors: 2 2011/06/25 13:18:52.0875 2764 Page size: 0x1000 2011/06/25 13:18:52.0875 2764 Boot type: Normal boot 2011/06/25 13:18:52.0875 2764 ================================================================================ 2011/06/25 13:18:53.0890 2764 Initialize success 2011/06/25 13:18:58.0421 2200 ================================================================================ 2011/06/25 13:18:58.0421 2200 Scan started 2011/06/25 13:18:58.0421 2200 Mode: Manual; 2011/06/25 13:18:58.0421 2200 ================================================================================ 2011/06/25 13:18:59.0906 2200 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2011/06/25 13:19:00.0000 2200 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/06/25 13:19:00.0062 2200 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/06/25 13:19:00.0140 2200 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2011/06/25 13:19:00.0250 2200 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/06/25 13:19:00.0328 2200 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys 2011/06/25 13:19:00.0390 2200 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2011/06/25 13:19:00.0437 2200 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2011/06/25 13:19:00.0500 2200 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2011/06/25 13:19:00.0546 2200 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2011/06/25 13:19:00.0609 2200 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2011/06/25 13:19:00.0718 2200 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2011/06/25 13:19:00.0812 2200 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2011/06/25 13:19:00.0875 2200 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2011/06/25 13:19:00.0937 2200 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2011/06/25 13:19:01.0015 2200 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys 2011/06/25 13:19:01.0062 2200 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2011/06/25 13:19:01.0140 2200 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2011/06/25 13:19:01.0218 2200 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2011/06/25 13:19:01.0343 2200 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/06/25 13:19:01.0390 2200 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/06/25 13:19:01.0531 2200 ati2mtaa (2d030c2f6b036ca0bc243e1b16d924d1) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys 2011/06/25 13:19:01.0609 2200 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/06/25 13:19:01.0671 2200 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/06/25 13:19:01.0718 2200 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/06/25 13:19:01.0968 2200 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2011/06/25 13:19:02.0015 2200 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/06/25 13:19:02.0109 2200 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2011/06/25 13:19:02.0140 2200 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/06/25 13:19:02.0203 2200 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/06/25 13:19:02.0296 2200 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/06/25 13:19:02.0453 2200 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2011/06/25 13:19:02.0578 2200 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2011/06/25 13:19:02.0640 2200 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2011/06/25 13:19:02.0703 2200 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2011/06/25 13:19:02.0828 2200 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/06/25 13:19:02.0906 2200 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS 2011/06/25 13:19:03.0062 2200 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS 2011/06/25 13:19:03.0250 2200 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS 2011/06/25 13:19:03.0296 2200 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS 2011/06/25 13:19:03.0500 2200 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS 2011/06/25 13:19:03.0671 2200 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS 2011/06/25 13:19:03.0843 2200 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS 2011/06/25 13:19:04.0031 2200 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS 2011/06/25 13:19:04.0156 2200 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS 2011/06/25 13:19:04.0281 2200 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/06/25 13:19:04.0359 2200 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/06/25 13:19:04.0437 2200 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/06/25 13:19:04.0515 2200 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/06/25 13:19:04.0593 2200 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2011/06/25 13:19:04.0656 2200 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/06/25 13:19:04.0734 2200 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS 2011/06/25 13:19:04.0906 2200 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS 2011/06/25 13:19:05.0062 2200 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys 2011/06/25 13:19:05.0187 2200 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys 2011/06/25 13:19:05.0281 2200 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys 2011/06/25 13:19:05.0421 2200 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 2011/06/25 13:19:05.0640 2200 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 2011/06/25 13:19:05.0828 2200 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/06/25 13:19:05.0921 2200 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2011/06/25 13:19:05.0968 2200 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/06/25 13:19:06.0031 2200 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2011/06/25 13:19:06.0093 2200 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/06/25 13:19:06.0250 2200 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/06/25 13:19:06.0312 2200 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/06/25 13:19:06.0406 2200 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2011/06/25 13:19:06.0468 2200 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/06/25 13:19:06.0546 2200 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/06/25 13:19:06.0640 2200 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/06/25 13:19:06.0718 2200 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2011/06/25 13:19:06.0765 2200 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/06/25 13:19:06.0937 2200 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2011/06/25 13:19:07.0015 2200 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2011/06/25 13:19:07.0093 2200 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/06/25 13:19:07.0187 2200 ialm (0674ce8ae167d830b871a99c677c5c59) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 2011/06/25 13:19:07.0390 2200 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys 2011/06/25 13:19:07.0625 2200 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/06/25 13:19:07.0718 2200 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2011/06/25 13:19:07.0812 2200 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/06/25 13:19:07.0859 2200 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/06/25 13:19:07.0937 2200 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/06/25 13:19:08.0000 2200 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/06/25 13:19:08.0062 2200 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/06/25 13:19:08.0125 2200 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/06/25 13:19:08.0171 2200 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/06/25 13:19:08.0234 2200 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/06/25 13:19:08.0296 2200 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/06/25 13:19:08.0343 2200 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/06/25 13:19:08.0390 2200 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/06/25 13:19:08.0468 2200 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/06/25 13:19:08.0546 2200 LBeepKE (c99ba72106a858cb8b521bb4c02c93ed) C:\WINDOWS\system32\Drivers\LBeepKE.sys 2011/06/25 13:19:08.0765 2200 LHidFilt (318b3d608fbec44b7e0c23bf759dced5) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 2011/06/25 13:19:08.0859 2200 LMouFilt (84af069d219df3c43dc6792b2bbd7bed) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 2011/06/25 13:19:09.0000 2200 LUsbFilt (81642f134929946ab4b9572c4c17298c) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys 2011/06/25 13:19:09.0218 2200 mfehidk (1377b0bb5e6fbe8475be0ed6edfbfbce) C:\WINDOWS\system32\drivers\mfehidk.sys 2011/06/25 13:19:09.0390 2200 mferkdk (cff2c1c2824877d34a411a87e771596d) C:\WINDOWS\system32\drivers\mferkdk.sys 2011/06/25 13:19:09.0515 2200 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/06/25 13:19:09.0593 2200 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/06/25 13:19:09.0687 2200 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/06/25 13:19:09.0718 2200 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/06/25 13:19:09.0765 2200 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/06/25 13:19:09.0921 2200 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2011/06/25 13:19:09.0968 2200 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/06/25 13:19:10.0078 2200 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/06/25 13:19:10.0187 2200 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/06/25 13:19:10.0281 2200 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/06/25 13:19:10.0312 2200 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/06/25 13:19:10.0359 2200 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/06/25 13:19:10.0406 2200 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/06/25 13:19:10.0468 2200 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys 2011/06/25 13:19:10.0578 2200 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110624.002\naveng.sys 2011/06/25 13:19:10.0781 2200 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110624.002\navex15.sys 2011/06/25 13:19:11.0046 2200 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/06/25 13:19:11.0125 2200 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/06/25 13:19:11.0171 2200 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/06/25 13:19:11.0234 2200 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/06/25 13:19:11.0312 2200 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/06/25 13:19:11.0390 2200 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/06/25 13:19:11.0437 2200 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/06/25 13:19:11.0671 2200 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/06/25 13:19:11.0734 2200 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/06/25 13:19:11.0828 2200 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/06/25 13:19:11.0921 2200 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/06/25 13:19:12.0078 2200 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/06/25 13:19:12.0125 2200 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/06/25 13:19:12.0218 2200 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/06/25 13:19:12.0281 2200 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/06/25 13:19:12.0328 2200 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/06/25 13:19:12.0390 2200 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/06/25 13:19:12.0484 2200 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/06/25 13:19:12.0562 2200 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/06/25 13:19:12.0781 2200 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2011/06/25 13:19:12.0843 2200 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2011/06/25 13:19:12.0953 2200 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/06/25 13:19:13.0031 2200 PQNTDrv (b26019a686d36e22f954e67c8fec4297) C:\WINDOWS\system32\drivers\PQNTDrv.sys 2011/06/25 13:19:13.0203 2200 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/06/25 13:19:13.0281 2200 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/06/25 13:19:13.0343 2200 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/06/25 13:19:13.0468 2200 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2011/06/25 13:19:13.0531 2200 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2011/06/25 13:19:13.0625 2200 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2011/06/25 13:19:13.0687 2200 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2011/06/25 13:19:13.0750 2200 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2011/06/25 13:19:13.0781 2200 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/06/25 13:19:13.0859 2200 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/06/25 13:19:13.0937 2200 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/06/25 13:19:13.0968 2200 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/06/25 13:19:14.0015 2200 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/06/25 13:19:14.0093 2200 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/06/25 13:19:14.0140 2200 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/06/25 13:19:14.0218 2200 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/06/25 13:19:14.0390 2200 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/06/25 13:19:14.0609 2200 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys 2011/06/25 13:19:14.0703 2200 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys 2011/06/25 13:19:14.0859 2200 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/06/25 13:19:14.0953 2200 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/06/25 13:19:15.0000 2200 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/06/25 13:19:15.0125 2200 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/06/25 13:19:15.0265 2200 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2011/06/25 13:19:15.0359 2200 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS 2011/06/25 13:19:15.0421 2200 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2011/06/25 13:19:15.0546 2200 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 2011/06/25 13:19:15.0640 2200 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/06/25 13:19:15.0703 2200 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/06/25 13:19:15.0781 2200 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/06/25 13:19:15.0906 2200 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys 2011/06/25 13:19:16.0109 2200 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/06/25 13:19:16.0156 2200 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/06/25 13:19:16.0281 2200 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2011/06/25 13:19:16.0328 2200 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2011/06/25 13:19:16.0421 2200 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS 2011/06/25 13:19:16.0578 2200 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 2011/06/25 13:19:16.0671 2200 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS 2011/06/25 13:19:16.0859 2200 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2011/06/25 13:19:16.0921 2200 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2011/06/25 13:19:16.0984 2200 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/06/25 13:19:17.0125 2200 tbhsd (5d8c820e2d885c25ffc6bbc5d4fe073c) C:\WINDOWS\system32\drivers\tbhsd.sys 2011/06/25 13:19:17.0218 2200 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/06/25 13:19:17.0296 2200 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/06/25 13:19:17.0421 2200 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/06/25 13:19:17.0531 2200 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/06/25 13:19:17.0640 2200 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2011/06/25 13:19:17.0734 2200 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/06/25 13:19:17.0812 2200 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2011/06/25 13:19:17.0859 2200 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/06/25 13:19:17.0953 2200 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys 2011/06/25 13:19:18.0015 2200 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/06/25 13:19:18.0078 2200 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/06/25 13:19:18.0140 2200 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/06/25 13:19:18.0203 2200 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/06/25 13:19:18.0250 2200 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/06/25 13:19:18.0296 2200 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/06/25 13:19:18.0359 2200 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/06/25 13:19:18.0437 2200 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2011/06/25 13:19:18.0515 2200 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/06/25 13:19:18.0562 2200 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/06/25 13:19:18.0671 2200 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/06/25 13:19:18.0750 2200 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys 2011/06/25 13:19:18.0828 2200 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys 2011/06/25 13:19:19.0078 2200 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/06/25 13:19:19.0328 2200 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys 2011/06/25 13:19:19.0437 2200 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/06/25 13:19:19.0500 2200 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/06/25 13:19:19.0609 2200 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0 2011/06/25 13:19:19.0625 2200 ================================================================================ 2011/06/25 13:19:19.0625 2200 Scan finished 2011/06/25 13:19:19.0625 2200 ================================================================================ 2011/06/25 13:19:19.0656 2436 Detected object count: 0 2011/06/25 13:19:19.0656 2436 Actual detected object count: 0 2011/06/25 13:19:29.0718 2980 Deinitialize success
  10. I don't have AVG installed. However, I just realized that I have an AVG product called PC Tuneup 2011. This isn't a virus scanner, but I un-installed it to keep combofix happy. The combofix log is below. There have been a number of developments since the last time you contacted me. Out of frustration for the pace of things here, I attempted some disinfection on my own. (I use my computer to make a living and I really can't be without it for weeks.) First, I created a bootable AVG scanner disk from an ISO image and ran that. The only thing that it found was an infection in the volsnap.sys filed mentioned in my previous posting. Since this is a critical system file, I obtained a clean copy of the file from another XP system and copied it over. This seemed to fix most of my problems. I was still missing many of my desktop shortcuts, so I searched for solutions to this problem. I found some very helpful information at pcmech.com. First, I downloaded and ran a script called unhide.exe from bleepingcomputer.com. This restored the visibility of all of my desktop and start menu items. However, I found that even though the items were visible, the shortcuts contained within them had all been deleted. Second, on another suggestion from pcmech.com, I was able to restore all of the shortcuts. I don't know why, but copies of all of the All Users shortcuts could be found in directory: Documents & Settings\All Users\Local Settings\Temp\smtmp. I copied them over and they worked. In hindsight, perhaps it's a good thing that combofix did not work, because it wipes out this directory. For what it's worth, these are the relevant discussions at pcmech.com: http://www.pcmech.com/forum/networking-online-security/220365-virus-cleaned-all-files-folders-hidden-system-solved.html http://www.pcmech.com/forum/networking-online-security/220860-solution-missing-start-menu-shortcuts.html At this point, everything *seems* hunky-dory. I did a system checkpoint and a backup. I also ran a bunch of scans: ESET, the Kaspersky online scanner, the AVG bootable disc again, Anti-Malware, Windows Defender, Symantec, Spybot, maybe another one. None of them are finding anything. And earlier today, I installed and ran TDDSKiller from bleepingcomputer.com and it also found nothing. Hopefully this combofix log won't show anything, either! By the way, you're probably going to tell me to not use Spybot at the same time as Symantec, but I don't use the active component. Teatimer.exe does not reside in memory. I just run the application manually on occasions such as this. Thanks again. ================================================== ComboFix 11-06-25.05 - Bill Entwistle 06/26/2011 0:45.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.316 [GMT -5:00] Running from: c:\documents and settings\Bill Entwistle\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d} c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\chrome\xulcache.jar c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\defaults\preferences\xulcache.js c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\install.rdf c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d} c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\chrome\xulcache.jar c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\defaults\preferences\xulcache.js c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\install.rdf c:\documents and settings\Bill Entwistle\Desktop\Security Center.lnk c:\documents and settings\Bill Entwistle\g2mdlhlpx.exe c:\documents and settings\Bill Entwistle\GoToAssistDownloadHelper.exe c:\documents and settings\Bill Entwistle\WINDOWS c:\windows\system32\rnaph.dll . . ((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 ))))))))))))))))))))))))))))))) . . 2011-06-25 05:33 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{F2E7A64F-EF3C-4C73-9123-4788B196EBBE}\mpengine.dll 2011-06-19 10:01 . 2011-06-19 10:01 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ArcSoft 2011-06-19 10:00 . 2011-06-19 10:00 -------- d-----w- c:\documents and settings\Admin\Application Data\Logitech 2011-06-19 10:00 . 2011-06-19 10:01 -------- d-----w- c:\documents and settings\Admin\Application Data\ArcSoft 2011-06-19 05:26 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2011-06-15 00:16 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys 2011-06-11 20:22 . 2011-06-11 20:22 -------- d-----w- c:\program files\Windows Defender 2011-06-09 03:15 . 2011-06-09 03:15 404640 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-29 14:11 . 2009-11-15 05:38 39984 ------w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-25 00:14 . 2009-10-02 22:36 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-17 04:15 . 2011-05-17 04:15 53248 ------r- c:\documents and settings\Bill Entwistle\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe 2011-05-17 04:13 . 2011-05-17 04:13 16400 ------w- c:\windows\system32\drivers\LNonPnP.sys 2011-05-02 15:31 . 2004-08-11 21:12 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19 . 2004-08-11 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 15:51 . 2004-08-11 21:00 832512 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 15:51 . 2004-08-11 21:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 15:51 . 2004-08-11 21:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-04-25 15:51 . 2004-08-11 21:00 17408 ----a-w- c:\windows\system32\corpol.dll 2011-04-25 12:01 . 2004-08-11 21:00 389120 ------w- c:\windows\system32\html.iec 2011-04-21 13:37 . 2004-08-11 21:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys 2011-04-04 00:05 . 2011-04-04 00:05 9319112 ------w- c:\documents and settings\Administrator\Application Data\lpuninstall.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920] "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator\Application Data\lpuninstall.exe [2011-4-3 9319112] . c:\documents and settings\Bill Entwistle\Start Menu\Programs\Startup\ CapsUnlock.lnk - c:\program files\CapsUnlock\CapsUnlock.exe [2007-4-25 13312] FlashTray.lnk - c:\program files\FlashTray Pro\FlashTray.exe [2007-5-7 555520] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-1-14 344064] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2010-10-28 10:13 64592 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "g:\\WS FTP\\WS_FTP95.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\TeraTerm\\ttermpro.exe"= "c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"= "c:\\Program Files\\Seagate\\SeagateManager\\FreeAgent Status\\stxmenumgr.exe"= "c:\\Program Files\\Dell Support\\DSAgnt.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [5/16/2011 11:12 PM 10448] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/20/2011 8:07 PM 105592] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S2 winmgmt32;Windows Management Instrumentation ;c:\windows\system32\msacm32.exe --> c:\windows\system32\msacm32.exe [?] S3 LW;LW;c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe --> c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe [?] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 74287622 *NewlyCreated* - MBAMSWISSARMY *Deregistered* - 74287622 *Deregistered* - MBAMSwissArmy . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}] 2007-09-19 16:32 7680 ------w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder . 2011-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 18:34] . 2011-06-26 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] . 2011-06-23 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com TCP: DhcpNameServer = 192.168.1.254 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\ FF - prefs.js: browser.startup.homepage - about:blank . . ------- File Associations ------- . .txt=TextPad.txt . - - - - ORPHANS REMOVED - - - - . AddRemove-Amazon MP3 Downloader - c:\documents and settings\Bill Entwistle\My Documents\My Music\Kyra\Uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-26 00:52 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap] @DACL=(02 0000) @="bootstrap.application.1" . [HKEY_LOCAL_MACHINE\software\Classes\.xaml\bootstrap] @DACL=(02 0000) @="bootstrap.xaml.1" . [HKEY_LOCAL_MACHINE\software\Classes\.xbap\bootstrap] @DACL=(02 0000) @="bootstrap.xbap.1" . [HKEY_LOCAL_MACHINE\software\Classes\.xps\bootstrap] @DACL=(02 0000) @="bootstrap.xps.1" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(740) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\windows\system32\igfxdev.dll . Completion time: 2011-06-26 00:59:04 ComboFix-quarantined-files.txt 2011-06-26 05:58 . Pre-Run: 46,883,012,608 bytes free Post-Run: 47,046,348,800 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 5C8A39D6896867944067E91ECC746CF4
  11. New developments.... I found that the reason my desktop was gone was because all of the files and directories in my profile, the All Users profile, and the Default User profile had been hidden. I was able to unhide everything in these three directories, which brought back a portion of my shortcuts, etc., but the All Users and Default Users ones are still not available on my desktop for some reason. I also noticed an iexplore.exe process which starts up about every 15 minutes, then a while later starts showing video advertisements in a popup window. I kill the process every time I see it, but it always comes back I tried to run combofix, but it gave me a message about not being able to run because I have AVG installed. In fact, I don't have AVG installed. But I do have Avira installed. (I disabled Symantec which I was using previously.) When I ran combofix, I happened to notice a very large number of iexplore.exe processes and perhaps others suddenly pop into existence, then go away. Is this something that combofix does? Just after that, the task manager closed spontaneously. I decided to run Anti-Malware and it crashed when doing an update. I ran it again and it claims to be up-to-date. I ran the update again and it showed a "connecting to server" message with full progress bar, and hung. Now it does this every time I run the update. Also, a file spontaneously appeared on my desktop called "catchme.log" and it contains this: "File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully" I don't know where it came from. Below is the DDS log. Attached is the other DDS file. As I said, I couldn't run combofix. Thanks! ================================================== . DDS (Ver_2011-06-12.02) - NTFSx86 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22 Run by Bill Entwistle at 0:38:06 on 2011-06-22 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.477 [GMT -5:00] . AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7} AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Program Files\Logitech\SetPointP\SetPoint.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\TEXTPA~1\TextPad.exe C:\WINDOWS\system32\SNDVOL32.EXE C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\TextPad 4\TextPad.exe . ============== Pseudo HJT Report =============== . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10n_ActiveX.exe -update activex mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1307775913765 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} TCP: DhcpNameServer = 192.168.1.254 TCP: Interfaces\{579E98ED-CD52-4E61-B524-E6FBBB03B165} : DhcpNameServer = 192.168.1.254 Notify: igfxcui - igfxdev.dll Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\bill entwistle\application data\mozilla\firefox\profiles\6xnqpoll.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - plugin: c:\documents and settings\bill entwistle\application data\facebook\npfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\bill entwistle\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\program files\firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll . ============= SERVICES / DRIVERS =============== . R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-19 11608] R1 mfehidk;mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-16 213640] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-19 136360] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-19 269480] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-19 61960] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632] R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736] R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-5-16 10448] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-20 105592] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110619.002\naveng.sys [2011-6-19 86008] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110619.002\navex15.sys [2011-6-19 1542392] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S2 winmgmt32;Windows Management Instrumentation ;c:\windows\system32\msacm32.exe [2011-6-11 9] S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?] S3 mferkdk;mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-31 34216] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464] S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520] . =============== File Associations =============== . .txt=TextPad.txt . =============== Created Last 30 ================ . 2011-06-20 01:59:34 -------- d-----w- c:\documents and settings\bill entwistle\application data\Avira 2011-06-20 01:55:47 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2011-06-20 01:55:45 -------- d-----w- c:\program files\Avira 2011-06-20 01:55:45 -------- d-----w- c:\documents and settings\all users\application data\Avira 2011-06-19 05:26:07 2321288 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll 2011-06-19 05:25:57 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{e3b955f6-af1d-4755-af81-832d3a408ab8}\mpengine.dll 2011-06-15 00:16:28 105472 ------w- c:\windows\system32\dllcache\mup.sys 2011-06-11 06:41:34 9 ----a-w- c:\windows\system32\msacm32.exe 2011-06-11 05:52:37 9 ----a-w- c:\windows\system32\imm3232.exe 2011-06-09 03:15:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl . ==================== Find3M ==================== . 2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-05-17 04:13:51 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys 2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-04-25 15:51:58 832512 ----a-w- c:\windows\system32\wininet.dll 2011-04-25 15:51:57 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-04-25 15:51:57 1830912 ----a-w- c:\windows\system32\inetcpl.cpl 2011-04-25 15:51:57 17408 ----a-w- c:\windows\system32\corpol.dll 2011-04-25 12:01:21 389120 ------w- c:\windows\system32\html.iec 2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys . ============= FINISH: 0:39:01.50 =============== Attach.zip
  12. I re-ran the ESET scanner and it found the one previous infection which requres a reboot. (I didn't reboot previously because it didn't tell me to.) My desktop is still wiped out and everying under my Start->Programs menu is gone, as well, making it darned hard to use the computer for anything. Am I screwed here, or might I be able to restore these things via a System Restore? And I just noticed that now all of my search results, no matter what browser, search engine, or destination URL are getting redirected and various things (like returned to the results page), whereas it used to only happen on about 1 in 10 searches. I ran Windows Defender with the latest definitions, and it found nothing. I re-ran Anti-malware, and it finds nothing. Same with Symantec. I just noticed that the Administrative Tools menu in the control panel has been wiped out, as well. As have the my toolbar links in Internet Explorer.
  13. I ran the two applications suggested. Results below. I was then able to update Windows Defender. I started a Defender scan. While it was running, I started doing Google searches to see if the hijacking was still occurring. It was. I decided to copy a few URLs that it was going to in case it might be of use to you. In each case below, the first URL is where the search results went to, which then automatically redirected to the second URL. http://www.discoverexactly.com/jump1/?affiliate=2780&subid=18254&terms=cats&sid=Z424043901%40EzXykjN0MjNfdDM18VNy8lM08lM5MTM2QDOwMTM&a=vgpt&mr=1&rc=0 http://www.shopica.com/search.php?q=cats&txn=1304454759-42a3.2515.4dfd8953.4cf0 http://www.find-quick-results.com/jump1/?affiliate=itcg&subid=18254&terms=dogs&sid=Z463044018%40IzXwAzN3cjNfZzN28FNz8FO08VNyYTM2QDOwMTM&a=vgpt&mr=1&rc=0 http://www.askthecrew.net/search/a002/innerxy.php?q=Dogs&xy=itcg-18254 http://www.find-quick-results.com/jump1/?affiliate=itcg&subid=18254&terms=rabbits&sid=Z619044163x8FN2gDMxczX0QTNfNzMfRTNy8VNzcTM2QDOwMTM&a=vgpt&mr=1&rc=0? http://scour.com/search/web/Rabbits/a11/itcg-18254/v5 In the middle of doing this, Windows Defender simply closed (probably when I hit one of these target websites?). Now, I cannot run Defender anymore. It opens, then immediately closes. I then started writing this up and decided to run Malwarebytes at the same time. It found 12 infections! Results shown below. While it was running, I kept getting a popup error messaage saying "Hard Drive Failure - The system has detected a problem with one of more installed IDE / SATA hard disks. It is recommended that you restart the system." After that, I also got one that says "System Error - An error occurred while reading system files. Run a system disgnostic utility to check you hard disk driver for errors." After these error popups started appearing, all the icons from my desktop disappeared. I ran explorer.exe from the Run prompt and was able to explore the hard drive and it *appears* that everything in my Desktop directory has been deleted. Unfortunately, this included the Security Check scan results which I saved to the desktop, so they are not included here after all. I am restarting the system now, only because Antimalware is telling me to. I sure hope this improves things, rather than making matters worse! What a mess. If you could possibly get back to me in a timely manner, it would be greatly appreciated. Thanks! ==================================================================== Results from ESET scan: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tpt0zqrw.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{80ca0793-89ed-41ef-a964-958f4c3e1a4d}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined C:\RECYCLER\S-1-5-21-3238264531-3539326320-3744746308-1005\Dc4.dllXXX a variant of Win32/Kryptik.OKQ trojan cleaned by deleting - quarantined C:\WINDOWS\system32\lpk32.dll a variant of Win32/Kryptik.OKQ trojan cleaned by deleting (after the next restart) - quarantined ==================================================================== Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6893 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 6/19/2011 12:51:26 AM mbam-log-2011-06-19 (00-51-26).txt Scan type: Quick scan Objects scanned: 178794 Time elapsed: 7 minute(s), 41 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 4 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: c:\documents and settings\all users\application data\hhfekghkxwvkc.exe (Trojan.FakeAlert) -> 3748 -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HhFEKGHKxwvKC (Trojan.FakeAlert) -> Value: HhFEKGHKxwvKC -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users\application data\hhfekghkxwvkc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\documents and settings\bill entwistle\local settings\temp\-213E8.tmp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. c:\documents and settings\bill entwistle\local settings\temp\1453E8.tmp (Trojan.FakeAlert.Gen) -> Delete on reboot. c:\documents and settings\bill entwistle\local settings\temp\2035.tmp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully. c:\documents and settings\bill entwistle\local settings\temp\jar_cache4636311328325280350.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\documents and settings\bill entwistle\local settings\temp\tmpC077.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  14. I had Avira installed because the instructions (pinned at the top of the forum) say to install it and run a scan. I've uninstalled it now. Below is the latest scan by Anti-Malware. A previous scan run yesterday found one new infection: c:\documents and settings\bill entwistle\0.01169609941940919.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. -------------------------------------------------- Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6863 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 6/15/2011 3:10:01 PM mbam-log-2011-06-15 (15-10-01).txt Scan type: Quick scan Objects scanned: 177799 Time elapsed: 5 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------------------- lpk32.dll Submission date: 2011-06-15 20:11:36 (UTC) Current status: finished Result: 1/ 42 (2.4%) Antivirus Version Last Update Result AhnLab-V3 2011.06.16.00 2011.06.15 - AntiVir 7.11.9.226 2011.06.15 - Antiy-AVL 2.0.3.7 2011.06.15 - Avast 4.8.1351.0 2011.06.15 - Avast5 5.0.677.0 2011.06.15 - AVG 10.0.0.1190 2011.06.15 - BitDefender 7.2 2011.06.15 - CAT-QuickHeal 11.00 2011.06.15 - ClamAV 0.97.0.0 2011.06.15 - Commtouch 5.3.2.6 2011.06.15 - Comodo 9079 2011.06.15 - DrWeb 5.0.2.03300 2011.06.15 - Emsisoft 5.1.0.8 2011.06.15 - eSafe 7.0.17.0 2011.06.15 - eTrust-Vet 36.1.8387 2011.06.15 - F-Prot 4.6.2.117 2011.06.15 - Fortinet 4.2.257.0 2011.06.15 - GData 22 2011.06.15 - Ikarus T3.1.1.104.0 2011.06.15 - Jiangmin 13.0.900 2011.06.15 - K7AntiVirus 9.106.4812 2011.06.14 - Kaspersky 9.0.0.837 2011.06.15 - McAfee 5.400.0.1158 2011.06.15 - McAfee-GW-Edition 2010.1D 2011.06.15 - Microsoft 1.6903 2011.06.13 - NOD32 6211 2011.06.15 - Norman 6.07.10 2011.06.15 - nProtect 2011-06-15.02 2011.06.15 - Panda 10.0.3.5 2011.06.15 - PCTools 7.0.3.5 2011.06.15 - Prevx 3.0 2011.06.15 - Rising 23.62.02.05 2011.06.15 - Sophos 4.66.0 2011.06.15 Troj/Bckdr-RHT SUPERAntiSpyware 4.40.0.1006 2011.06.15 - Symantec 20111.1.0.186 2011.06.15 - TheHacker 6.7.0.1.230 2011.06.14 - TrendMicro 9.200.0.1012 2011.06.15 - TrendMicro-HouseCall 9.200.0.1012 2011.06.15 - VBA32 3.12.16.1 2011.06.15 - VIPRE 9591 2011.06.15 - ViRobot 2011.6.15.4513 2011.06.15 - VirusBuster 14.0.82.0 2011.06.15 - Additional information MD5 : a82c18dc0142deeaf9fffc9c12d627f3 SHA1 : a7b2ba3c35b1e323b2e63fa4f52528318bdd7f61 SHA256: 04ec837c175ff6617ab01bfc2467e138378cc8f5544f216e024bc97300d63f11 ssdeep: 3072:ma6v/UxHib7CjBVYsb84pIKB/mY+rhWzpLcS9Fz01y/BCtPjhMb5:mvUB67CFBb8uIumhh VS9FL/BEjh File size : 168960 bytes First seen: 2011-06-10 02:48:01 Last seen : 2011-06-15 20:11:36 TrID: Win32 Executable MS Visual C++ (generic) (65.1%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) sigcheck: publisher....: n/a copyright....: Copyright © 2009 product......: Dr Link Library description..: Dr Link Library original name: Dr.DLL internal name: Dr file version.: 2009, 11, 12, 115 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x8C94 timedatestamp....: 0x43AE09BD (Sun Dec 25 02:53:49 2005) machinetype......: 0x14c (I386) [[ 8 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0xA000, 0x9600, 5.82, 8b5a1f7b0cd58c6f361797dfdbc9c811 .data, 0xB000, 0xF000, 0xF000, 7.50, 346c1af89beefe2c3d936473abd5d880 .rdata, 0x1A000, 0xF000, 0xEE00, 7.47, d42962281eec260728fef0c8a5a211da .bss, 0x29000, 0x4000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e .edata, 0x2D000, 0x1000, 0x200, 4.05, 2c8484b20bf40a859b69083710f940e6 .idata, 0x2E000, 0x1000, 0x600, 4.78, e8338ef2d73ffe929d0f5fccbdb8a1c4 .rsrc, 0x2F000, 0x1000, 0x400, 2.59, bf731159fd6855cce424708e422fafb4 .reloc, 0x30000, 0xF71, 0x1000, 6.71, cd4934617a9c99a4e5bb9ee304f3a742 [[ 6 import(s) ]] ADVAPI32.dll: OpenTraceW, RegDeleteKeyA, SetPrivateObjectSecurityEx, ChangeServiceConfig2W KERNEL32.dll: DeleteFileA, DeviceIoControl, ExitProcess, GetModuleHandleA, GetProcAddress, HeapSize, LoadLibraryA, VirtualAlloc, VirtualFree ole32.dll: StringFromGUID2, CLSIDFromString, CoBuildVersion, CoFileTimeNow, IsEqualGUID, CreateAntiMoniker USER32.dll: RegisterHotKey, CharNextA, EnumDesktopsA, GetClassWord, GetClipboardFormatNameA, GetKBCodePage, GetPriorityClipboardFormat, IsCharAlphaA, IsClipboardFormatAvailable, MessageBoxExA, MessageBoxIndirectA, PeekMessageA, CloseWindowStation, SendMessageTimeoutW, SetClipboardViewer security.dll: DeleteSecurityPackageW, FreeCredentialsHandle MSVCRT.dll: exit, _cexit, __set_app_type, __p__commode, __getmainargs [[ 9 export(s) ]] CompressedFileReaderObjectCreate, CompressedFileReaderObjectUncompressedSizeGet, Create, DeviceAddLocal, DiscAtOnceRawPWFromFileAudioUnicode, FileCreate, ISO9660JolietFileTreeImportTrack, TestUnitReadyEx, TrackAtOnceFromMemory ExifTool: file metadata CharacterSet: Unicode CodeSize: 40960 EntryPoint: 0x8c94 FileDescription: Dr Link Library FileFlagsMask: 0x0017 FileOS: Win32 FileSize: 165 kB FileSubtype: 0 FileType: Win32 DLL FileVersion: 2009, 11, 12, 115 FileVersionNumber: 2009.11.12.115 ImageVersion: 1.0 InitializedDataSize: 180224 InternalName: Dr LanguageCode: Process default LegalCopyright: Copyright © 2009 LinkerVersion: 2.38 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 ObjectFileType: Dynamic link library OriginalFilename: Dr.DLL PEType: PE32 ProductName: Dr Link Library ProductVersion: 1, 0, 0, 115 ProductVersionNumber: 1.0.0.115 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2005:12:25 03:53:49+01:00 UninitializedDataSize: 16384 Symantec reputation:Suspicious.Insight lpk32.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.