Jump to content


Photo
- - - - -

No explorer or admin permission after Microsoft Security Essentials Alert


  • This topic is locked This topic is locked
20 replies to this topic

#1 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 09:08 AM

Hello,

I ran Malwarebytes after the fake Microsoft Security Essentials Alert appeared on my PC. I now have no Windows explorer and if I try to load it from task manager I get the message "Windows can not load the specified device, path or file. You may not have the appropriate permissions to access the item".

I can load most other things from task manager.

I have done everything recommended here before posting and I think I have attached all of the correct information. I tried twice to save the GMER log but each time the program crashed so instead I copied the results to a text file.

Thanks in advance.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4895

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/10/2010 20:49:40
mbam-log-2010-10-20 (20-49-40).txt

Scan type: Quick scan
Objects scanned: 233892
Time elapsed: 48 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\mswpmt.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tziwofoseqov (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mswpmt.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\Dad\Local Settings\Temp\jtxqvaa.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\7F7G50FQ\cfjeyt[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\7F7G50FQ\aaick[1].htm (Rogue.FakeMSE) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\H2NVEZHG\aaick[2].htm (Rogue.FakeMSE) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\S1MX5BFE\cfjeyt[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Templates\memory.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


DDS (Ver_10-10-10.03) - NTFSx86
Run by Dad at 23:26:32.67 on 20/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1392 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost -k DComLaunch
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\IObit\Advanced SystemCare 3\AutoSweep.exe
svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Network Magic Browser Helper: {07d7f044-2f5f-41b2-baa5-936814af0163} - c:\program files\pure networks\network magic\nmbrhlp2.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
{86dbe499-3dea-4252-93b8-d1dbade25bfc}
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AE40EBA0-2D49-48C9-BA8D-E9F046240F5F} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{fa2d811e-5447-4e2e-ab70-3364ed0cf6f9}
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
uRun: [nmctxth] c:\program files\common files\pure networks shared\platform\nmctxth.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [iTunesFolderWatch] c:\program files\jezsoft\itunesfolderwatch\iTunesFolderWatch.exe
uRun: [FeedDemon] "c:\program files\feeddemon\FeedDemon.exe" /startminimized
uRun: [OpAgent] "OpAgent.exe" /agent
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Tziwofoseqov] rundll32.exe "c:\windows\mswpmt.dll",Startup
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Qqirem] rundll32.exe "c:\windows\abihixow.dll",Startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\dad\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\dad\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\dad\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll c:\progra~1\bandoo\bndhook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnkiiFx
LSA: Notification Packages = :\windows\system32\srr
mASetup: {232f4e3f2-bab8-11d0-97b9-00c04f98bcb9} - c:\windows\system32\agsystem2.exe -p WinUpdate.exe -p agsystem2.exe -p msrtspr1.exe -f agsystem2.exe -f agony.sys -f WinUpdate.exe -k run -tcp 6667 -udp 6667 -r

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\62a7z0jd.default\
FF - prefs.js: browser.startup.homepage - hxxp://s6-eu.startpage.com/do/mypage.pl?prf=b149ef0eb27be03895df6c1b7d0529d3
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\dad\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\dad\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {BCDD5DB7-E22B-437D-9996-EE84C59A2100} - c:\documents and settings\dad\local settings\application data\{bcdd5db7-e22b-437d-9996-ee84c59a2100}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-2-27 11264]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-6-10 165584]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2010-9-30 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-10 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-9 40384]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-24 312152]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-9 40384]
R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [2008-1-3 25088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c92be94c0e665a;Google Update Service (gupdate1c92be94c0e665a);c:\program files\google\update\GoogleUpdate.exe [2008-10-11 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-1-19 16512]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.txt=Notepad++_file

=============== Created Last 30 ================

2010-10-20 20:48:47 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-20 20:48:47 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-20 20:48:46 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-20 20:48:46 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-20 20:48:45 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-20 20:48:31 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-20 20:48:31 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-20 20:48:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-20 20:48:25 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-20 20:48:05 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-10-20 20:48:00 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-10-20 20:46:59 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2010-10-20 20:45:58 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2010-10-20 20:44:58 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2010-10-20 20:43:57 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2010-10-20 20:42:58 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-10-20 20:41:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-10-20 20:40:59 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll
2010-10-20 20:39:56 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-10-20 20:38:59 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2010-10-20 20:37:59 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys
2010-10-20 18:16:34 0 ----a-w- c:\windows\Czumim.bin
2010-10-20 18:16:31 -------- d-----w- c:\docume~1\dad\locals~1\applic~1\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}
2010-10-18 20:23:50 -------- d-----w- c:\documents and settings\dad\Tracing
2010-10-17 20:57:49 -------- d-----w- c:\program files\Microsoft
2010-10-17 20:57:28 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-10-17 20:53:59 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc24F.tmp
2010-10-17 20:45:16 -------- d-----w- c:\program files\common files\Windows Live
2010-10-09 18:07:07 -------- d-----w- c:\docume~1\dad\applic~1\WindSolutions
2010-10-09 18:07:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\WindSolutions
2010-10-06 22:47:22 -------- d-----w- c:\program files\TweetDeck
2010-10-05 21:49:02 -------- d-----w- c:\docume~1\dad\applic~1\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-05 21:49:02 -------- d-----w- c:\docume~1\dad\applic~1\Adobe Mini Bridge CS5
2010-09-30 22:53:18 57344 ----a-w- c:\windows\system32\ASTSRV.EXE
2010-09-30 22:53:15 -------- d-----w- c:\program files\Alien Skin
2010-09-30 22:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2010-09-30 22:15:35 -------- d-----w- c:\program files\common files\Topaz Labs
2010-09-30 22:15:34 -------- d-----w- c:\program files\Topaz Labs
2010-09-30 18:32:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe
2010-09-28 23:14:22 -------- d-----w- c:\program files\iPod
2010-09-23 21:41:01 -------- d-----w- c:\docume~1\dad\applic~1\AMPSoft

==================== Find3M ====================

2010-09-19 18:50:03 8892928 ----a-w- c:\docume~1\alluse~1\applic~1\atscie.msi
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-12 18:29:48 2772992 ----a-w- c:\windows\system32\GPhotos.scr
2010-07-27 17:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 17:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-23 20:02:41 81408 ----a-w- c:\program files\taskkill.exe

============= FINISH: 23:29:20.42 ===============

Attached Files



#2 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 10:26 AM

:)

Please don't attach the scan results, use Copy/Paste


DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please read carefully and follow these steps.
  • Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
  • A copy of the log will be saved automatically to the root directory, root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
please post the contents of that log TDSSKiller log.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 10:37 AM

Thanks for the response LDTate


2010/10/21 16:34:40.0578 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/21 16:34:40.0578 ================================================================================
2010/10/21 16:34:40.0578 SystemInfo:
2010/10/21 16:34:40.0578
2010/10/21 16:34:40.0578 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/21 16:34:40.0578 Product type: Workstation
2010/10/21 16:34:40.0578 ComputerName: PC1
2010/10/21 16:34:40.0578 UserName: Dad
2010/10/21 16:34:40.0578 Windows directory: C:\WINDOWS
2010/10/21 16:34:40.0578 System windows directory: C:\WINDOWS
2010/10/21 16:34:40.0578 Processor architecture: Intel x86
2010/10/21 16:34:40.0578 Number of processors: 2
2010/10/21 16:34:40.0578 Page size: 0x1000
2010/10/21 16:34:40.0578 Boot type: Normal boot
2010/10/21 16:34:40.0578 ================================================================================
2010/10/21 16:34:40.0859 Initialize success
2010/10/21 16:34:56.0781 ================================================================================
2010/10/21 16:34:56.0781 Scan started
2010/10/21 16:34:56.0781 Mode: Manual;
2010/10/21 16:34:56.0781 ================================================================================
2010/10/21 16:34:57.0500 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/10/21 16:34:57.0671 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/21 16:34:57.0750 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/21 16:34:58.0000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/21 16:34:58.0062 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/21 16:34:58.0531 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys
2010/10/21 16:34:58.0640 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/10/21 16:34:58.0718 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/10/21 16:34:58.0765 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/10/21 16:34:58.0812 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/10/21 16:34:58.0875 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/10/21 16:34:58.0921 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/21 16:34:59.0000 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/21 16:34:59.0250 ati2mtag (b1ae41cfe277e043837aa2b875adb757) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/21 16:34:59.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/21 16:34:59.0515 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/21 16:34:59.0562 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/21 16:34:59.0750 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2010/10/21 16:34:59.0796 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2010/10/21 16:34:59.0859 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2010/10/21 16:34:59.0953 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2010/10/21 16:35:00.0031 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2010/10/21 16:35:00.0125 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/21 16:35:00.0203 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/21 16:35:00.0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/21 16:35:00.0359 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/21 16:35:00.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/21 16:35:00.0890 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
2010/10/21 16:35:00.0953 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/21 16:35:01.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/21 16:35:01.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/21 16:35:01.0203 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/21 16:35:01.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/21 16:35:01.0406 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/21 16:35:01.0484 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2010/10/21 16:35:01.0593 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/21 16:35:01.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/21 16:35:01.0796 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/10/21 16:35:01.0843 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/21 16:35:01.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/21 16:35:02.0046 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/21 16:35:02.0093 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/21 16:35:02.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/21 16:35:02.0218 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/10/21 16:35:02.0281 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/21 16:35:02.0375 GMFilter Filter (9b5caa1c5ca37b533e6d5f2467d4eade) C:\WINDOWS\system32\Drivers\GMFilter.sys
2010/10/21 16:35:02.0484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/21 16:35:02.0562 GT680x (7b90be6811334caa9243b89f3d3fee1a) C:\WINDOWS\system32\Drivers\gt680x.sys
2010/10/21 16:35:02.0906 hardlock (f3e34776d8b8ab665d051a8674fdf4cc) C:\WINDOWS\system32\drivers\hardlock.sys
2010/10/21 16:35:03.0015 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys
2010/10/21 16:35:03.0093 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/21 16:35:03.0156 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
2010/10/21 16:35:03.0234 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/21 16:35:03.0375 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/10/21 16:35:03.0468 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/10/21 16:35:03.0531 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/10/21 16:35:03.0640 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/21 16:35:03.0843 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/10/21 16:35:03.0890 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/21 16:35:04.0171 IntcAzAudAddService (a5d5b8c427f4b67580fb2b511291a89d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/21 16:35:04.0421 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/21 16:35:04.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/21 16:35:04.0562 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/21 16:35:04.0734 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/21 16:35:04.0796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/21 16:35:04.0875 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/21 16:35:04.0937 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/10/21 16:35:05.0000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/21 16:35:05.0078 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/10/21 16:35:05.0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/21 16:35:05.0218 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/21 16:35:05.0250 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/21 16:35:05.0343 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/21 16:35:05.0437 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/21 16:35:05.0562 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys
2010/10/21 16:35:05.0750 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2010/10/21 16:35:05.0875 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
2010/10/21 16:35:05.0937 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2010/10/21 16:35:06.0015 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/21 16:35:06.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/21 16:35:06.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/21 16:35:06.0218 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/21 16:35:06.0296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/21 16:35:06.0359 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2010/10/21 16:35:06.0609 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/21 16:35:06.0718 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/21 16:35:06.0781 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/21 16:35:06.0843 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/21 16:35:06.0906 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/21 16:35:06.0968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/21 16:35:07.0062 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/21 16:35:07.0140 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/21 16:35:07.0234 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2010/10/21 16:35:07.0281 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/21 16:35:07.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/21 16:35:07.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/21 16:35:07.0500 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/21 16:35:07.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/21 16:35:07.0671 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/21 16:35:07.0703 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/21 16:35:07.0750 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/21 16:35:07.0796 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/21 16:35:07.0843 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/21 16:35:07.0968 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/10/21 16:35:08.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/21 16:35:08.0109 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/21 16:35:08.0187 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/21 16:35:08.0265 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/21 16:35:08.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/21 16:35:08.0421 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/21 16:35:08.0484 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/21 16:35:08.0531 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/21 16:35:08.0609 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2010/10/21 16:35:08.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/21 16:35:08.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/21 16:35:08.0953 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/21 16:35:09.0359 pnarp (dea06627596015263360097c2608384e) C:\WINDOWS\system32\DRIVERS\pnarp.sys
2010/10/21 16:35:09.0453 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/21 16:35:09.0500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/21 16:35:09.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/21 16:35:09.0609 purendis (c0cdb9f7ce42c3487f0bea409bf5d153) C:\WINDOWS\system32\DRIVERS\purendis.sys
2010/10/21 16:35:09.0765 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/21 16:35:09.0890 QCMerced (9a155d31b8e52f41b258282092cc93a7) C:\WINDOWS\system32\DRIVERS\LVCM.sys
2010/10/21 16:35:10.0187 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/21 16:35:10.0250 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/10/21 16:35:10.0312 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/21 16:35:10.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/21 16:35:10.0406 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/21 16:35:10.0468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/21 16:35:10.0546 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/21 16:35:10.0765 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/21 16:35:10.0953 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/21 16:35:11.0031 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/21 16:35:11.0125 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2010/10/21 16:35:11.0250 s117bus (1f561844318914e7eb6e54673a4cc54c) C:\WINDOWS\system32\DRIVERS\s117bus.sys
2010/10/21 16:35:11.0328 s117mdfl (ba93eec3cdf6a63b77ae66221aa4f902) C:\WINDOWS\system32\DRIVERS\s117mdfl.sys
2010/10/21 16:35:11.0406 s117mdm (cba12fd8a8ee5b5cdfbbae2381cd6703) C:\WINDOWS\system32\DRIVERS\s117mdm.sys
2010/10/21 16:35:11.0484 s117mgmt (bd6483e64b1da17e812b34bcdefd9459) C:\WINDOWS\system32\DRIVERS\s117mgmt.sys
2010/10/21 16:35:11.0562 s117nd5 (c7ca36c3054b4cd47a1f6611b046e2f9) C:\WINDOWS\system32\DRIVERS\s117nd5.sys
2010/10/21 16:35:11.0656 s117obex (e290b3a6b58fb72ca97dd48d64e4fc1c) C:\WINDOWS\system32\DRIVERS\s117obex.sys
2010/10/21 16:35:11.0734 s117unic (5c4d1ba23c7511ac880e8ba7baa80dba) C:\WINDOWS\system32\DRIVERS\s117unic.sys
2010/10/21 16:35:11.0843 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/10/21 16:35:11.0921 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/21 16:35:12.0000 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/21 16:35:12.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/21 16:35:12.0875 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
2010/10/21 16:35:13.0203 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
2010/10/21 16:35:13.0484 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/21 16:35:14.0156 sfsync02 (efebbc1d13fdb77a6af4eddfc7232edf) C:\WINDOWS\system32\drivers\sfsync02.sys
2010/10/21 16:35:14.0296 sfvfs02 (9ef50060cc7e6953bab83f2a42ccc421) C:\WINDOWS\system32\drivers\sfvfs02.sys
2010/10/21 16:35:15.0015 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/21 16:35:15.0281 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/21 16:35:15.0359 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys
2010/10/21 16:35:15.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/21 16:35:15.0484 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/21 16:35:15.0656 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/21 16:35:15.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/21 16:35:15.0828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/21 16:35:16.0078 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/21 16:35:16.0171 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/21 16:35:16.0234 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/21 16:35:16.0328 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/21 16:35:16.0390 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/21 16:35:16.0531 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2010/10/21 16:35:16.0593 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/21 16:35:16.0796 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/21 16:35:16.0906 USB28xxBGA (68a00f7bd18bc3af2d98a75142e1c74e) C:\WINDOWS\system32\DRIVERS\emBDA.sys
2010/10/21 16:35:17.0015 USB28xxOEM (d52f4fc7788d670a78b2c253717b5330) C:\WINDOWS\system32\DRIVERS\emOEM.sys
2010/10/21 16:35:17.0093 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/21 16:35:17.0187 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/21 16:35:17.0218 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/21 16:35:17.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/21 16:35:17.0328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/21 16:35:17.0375 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/21 16:35:17.0453 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/21 16:35:17.0515 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/21 16:35:17.0593 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/21 16:35:17.0718 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/10/21 16:35:17.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/21 16:35:17.0828 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/21 16:35:17.0906 videX32 (c8ee49fa76eb7c41a9cddfe58151a74e) C:\WINDOWS\system32\DRIVERS\videX32.sys
2010/10/21 16:35:18.0000 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/21 16:35:18.0093 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/21 16:35:18.0187 wceusbsh (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
2010/10/21 16:35:18.0265 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/21 16:35:18.0359 WinDriver6 (097a8291df541f9b9af2c500797cdcaa) C:\WINDOWS\system32\drivers\windrvr6.sys
2010/10/21 16:35:18.0515 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/21 16:35:18.0609 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/21 16:35:18.0703 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/21 16:35:18.0812 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/21 16:35:18.0875 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/21 16:35:18.0984 xfilt (fcbc27869092850cdb75139f3818653a) C:\WINDOWS\system32\DRIVERS\xfilt.sys
2010/10/21 16:35:19.0125 ================================================================================
2010/10/21 16:35:19.0125 Scan finished
2010/10/21 16:35:19.0125 ================================================================================

#4 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 10:39 AM

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 11:36 AM

Ok, well I ran Combofix following the instructions.

After a while the system rebooted and I had regained all of my desktop icons and status bar.

I got 2 warnings about missing dll files (abihixow.dll and mswpmt.dll)

Combofix was still active and said "Preparing Log Report - Do not run any programs until Combofix has finished" and this remained for about 15 minutes after all hard drive activity had stopped so I assumed it was hanging.

The log file was present and is as follows:



ComboFix 10-10-20.04 - Dad 21/10/2010 16:53:05.1.2 - x86
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dad\EULA.txt
C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}
C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome.manifest
C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\_cfg.js
C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\overlay.xul
C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\install.rdf
C:\Documents and Settings\Kids.PC1\Application Data\alot
C:\Documents and Settings\Kids.PC1\GoToAssistDownloadHelper.exe
C:\WINDOWS\abihixow.dll
C:\WINDOWS\system32\_004840_.tmp.dll
C:\WINDOWS\system32\_004841_.tmp.dll
C:\WINDOWS\system32\_004842_.tmp.dll
C:\WINDOWS\system32\_004843_.tmp.dll
C:\WINDOWS\system32\_004850_.tmp.dll
C:\WINDOWS\system32\_004851_.tmp.dll
C:\WINDOWS\system32\_004852_.tmp.dll
C:\WINDOWS\system32\_004853_.tmp.dll
C:\WINDOWS\system32\_004854_.tmp.dll
C:\WINDOWS\system32\_004855_.tmp.dll
C:\WINDOWS\system32\_004856_.tmp.dll
C:\WINDOWS\system32\_004857_.tmp.dll
C:\WINDOWS\system32\_004858_.tmp.dll
C:\WINDOWS\system32\_004859_.tmp.dll
C:\WINDOWS\system32\_004860_.tmp.dll
C:\WINDOWS\system32\_004861_.tmp.dll
C:\WINDOWS\system32\_004862_.tmp.dll
C:\WINDOWS\system32\_004863_.tmp.dll
C:\WINDOWS\system32\_004864_.tmp.dll
C:\WINDOWS\system32\_004866_.tmp.dll
C:\WINDOWS\system32\_004868_.tmp.dll
C:\WINDOWS\system32\_004869_.tmp.dll
C:\WINDOWS\system32\_004870_.tmp.dll
C:\WINDOWS\system32\_004874_.tmp.dll
C:\WINDOWS\system32\_004875_.tmp.dll
C:\WINDOWS\system32\_004877_.tmp.dll
C:\WINDOWS\system32\_004878_.tmp.dll
C:\WINDOWS\system32\_004879_.tmp.dll
C:\WINDOWS\system32\_004880_.tmp.dll
C:\WINDOWS\system32\_004881_.tmp.dll
C:\WINDOWS\system32\_004882_.tmp.dll
C:\WINDOWS\system32\_004883_.tmp.dll
C:\WINDOWS\system32\_004885_.tmp.dll
C:\WINDOWS\system32\_004886_.tmp.dll
C:\WINDOWS\system32\_004887_.tmp.dll
C:\WINDOWS\system32\_004888_.tmp.dll
C:\WINDOWS\system32\_004889_.tmp.dll
C:\WINDOWS\system32\_004890_.tmp.dll
C:\WINDOWS\system32\_004891_.tmp.dll
C:\WINDOWS\system32\_004892_.tmp.dll
C:\WINDOWS\system32\_004893_.tmp.dll
C:\WINDOWS\system32\_004896_.tmp.dll
C:\WINDOWS\system32\_004897_.tmp.dll
C:\WINDOWS\system32\_004898_.tmp.dll
C:\WINDOWS\system32\_004900_.tmp.dll
C:\WINDOWS\system32\_004901_.tmp.dll
C:\WINDOWS\system32\_004902_.tmp.dll
C:\WINDOWS\system32\_004903_.tmp.dll
C:\WINDOWS\system32\_004904_.tmp.dll
C:\WINDOWS\system32\_004906_.tmp.dll
C:\WINDOWS\system32\_004908_.tmp.dll
C:\WINDOWS\system32\_004909_.tmp.dll
C:\WINDOWS\system32\_004910_.tmp.dll
C:\WINDOWS\system32\_004914_.tmp.dll
C:\WINDOWS\system32\_004915_.tmp.dll
C:\WINDOWS\system32\_004917_.tmp.dll
C:\WINDOWS\system32\_004920_.tmp.dll
C:\WINDOWS\system32\_004922_.tmp.dll
C:\WINDOWS\system32\_004924_.tmp.dll
C:\WINDOWS\system32\_004925_.tmp.dll
C:\WINDOWS\system32\_004928_.tmp.dll
C:\WINDOWS\system32\_004929_.tmp.dll
C:\WINDOWS\system32\_004930_.tmp.dll
C:\WINDOWS\system32\_004931_.tmp.dll
C:\WINDOWS\system32\_004932_.tmp.dll
C:\WINDOWS\system32\_004937_.tmp.dll
C:\WINDOWS\system32\_004939_.tmp.dll
C:\WINDOWS\system32\_004940_.tmp.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ccrpTmr6.dll
C:\WINDOWS\system32\DJSvDcdd.ini
C:\WINDOWS\system32\Ilmmonpo.ini
C:\WINDOWS\system32\skinboxer43.dll
C:\WINDOWS\system32\xyayGfhk.ini
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\UA000106.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_USNJSVC
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-20 20:44:58 . 2001-08-17 12:52:18 49024 -c--a-w- C:\WINDOWS\system32\dllcache\ql1280.sys
2010-10-20 20:43:57 . 2001-08-17 11:11:36 65278 -c--a-w- C:\WINDOWS\system32\dllcache\netflx3.sys
2010-10-20 20:42:58 . 2001-08-17 11:12:26 164586 -c--a-w- C:\WINDOWS\system32\dllcache\mdgndis5.sys
2010-10-20 20:41:36 . 2001-08-17 21:36:16 372824 -c--a-w- C:\WINDOWS\system32\dllcache\iconf32.dll
2010-10-20 20:40:59 . 2001-08-17 21:36:16 32768 -c--a-w- C:\WINDOWS\system32\dllcache\hpgtmcro.dll
2010-10-20 20:39:56 . 2001-08-17 11:20:18 334208 -c--a-w- C:\WINDOWS\system32\dllcache\ds1wdm.sys
2010-10-20 20:38:59 . 2001-08-17 12:52:06 7680 -c--a-w- C:\WINDOWS\system32\dllcache\cd20xrnt.sys
2010-10-20 20:37:59 . 2001-08-17 12:52:04 22400 -c--a-w- C:\WINDOWS\system32\dllcache\asc3350p.sys
2010-10-20 18:16:34 . 2010-10-20 18:16:34 0 ----a-w- C:\WINDOWS\Czumim.bin
2010-10-18 20:23:50 . 2010-10-19 07:59:29 -------- d-----w- C:\Documents and Settings\Dad\Tracing
2010-10-18 16:45:44 . 2010-10-18 16:45:47 -------- d-----w- C:\Documents and Settings\Kids.PC1\Tracing
2010-10-17 20:57:49 . 2010-10-17 20:57:49 -------- d-----w- C:\Program Files\Microsoft
2010-10-17 20:57:28 . 2010-10-17 20:57:28 -------- d-----w- C:\Program Files\Windows Live SkyDrive
2010-10-17 20:45:16 . 2010-10-17 20:45:16 -------- d-----w- C:\Program Files\Common Files\Windows Live
2010-10-13 19:28:17 . 2010-10-13 19:28:19 -------- d-----w- C:\Documents and Settings\Dad\Application Data\Thunderbird
2010-10-13 19:25:34 . 2010-10-13 19:25:40 -------- d-----w- C:\Program Files\Mozilla Thunderbird
2010-10-11 16:55:48 . 2010-10-11 16:55:48 -------- d-----w- C:\Documents and Settings\Kids.PC1\Application Data\Adobe Mini Bridge CS5
2010-10-11 16:55:47 . 2010-10-11 16:55:47 -------- d-----w- C:\Documents and Settings\Kids.PC1\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-10 10:51:21 . 2010-10-10 10:51:21 -------- d-----w- C:\Documents and Settings\Kids.PC1\Application Data\IObit
2010-10-09 18:07:07 . 2010-10-09 18:15:08 -------- d-----w- C:\Documents and Settings\Dad\Application Data\WindSolutions
2010-10-09 18:07:07 . 2010-10-09 18:15:01 -------- d-----w- C:\Documents and Settings\All Users\Application Data\WindSolutions
2010-10-06 22:47:22 . 2010-10-06 22:47:23 -------- d-----w- C:\Program Files\TweetDeck
2010-10-05 21:49:02 . 2010-10-05 21:49:02 -------- d-----w- C:\Documents and Settings\Dad\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-05 21:49:02 . 2010-10-05 21:49:02 -------- d-----w- C:\Documents and Settings\Dad\Application Data\Adobe Mini Bridge CS5
2010-09-30 22:53:18 . 2008-05-19 12:13:20 57344 ----a-w- C:\WINDOWS\system32\ASTSRV.EXE
2010-09-30 22:53:15 . 2010-09-30 22:53:18 -------- d-----w- C:\Program Files\Alien Skin
2010-09-30 22:28:18 . 2010-09-30 22:28:18 -------- d-----w- C:\Documents and Settings\All Users\Application Data\boost_interprocess
2010-09-30 22:15:35 . 2010-09-30 22:15:39 -------- d-----w- C:\Program Files\Common Files\Topaz Labs
2010-09-30 22:15:34 . 2010-09-30 22:15:34 -------- d-----w- C:\Program Files\Topaz Labs
2010-09-30 18:32:01 . 2010-09-30 18:40:22 -------- d-----w- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
2010-09-30 18:20:31 . 2010-09-30 18:20:31 -------- d-----w- C:\Program Files\Adobe Media Player
2010-09-28 23:14:22 . 2010-09-28 23:14:22 -------- d-----w- C:\Program Files\iPod
2010-09-23 21:41:01 . 2010-09-23 21:41:01 -------- d-----w- C:\Documents and Settings\Dad\Application Data\AMPSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

#6 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 12:52 PM

That's not the complete log.
Try coping it again.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 01:06 PM

That is all there is. The Combofix window is still open and saying the same thing so it has definitely crashed. Should I run it again?

#8 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 01:30 PM

That is all there is. The Combofix window is still open and saying the same thing so it has definitely crashed. Should I run it again?

Yes, run a new scan
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 02:27 PM

It worked this time....


ComboFix 10-10-20.04 - Dad 21/10/2010 19:46:39.2.2 - x86
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Dad\EULA.txt
c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome.manifest
c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\_cfg.js
c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\overlay.xul
c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\install.rdf
c:\documents and settings\Kids.PC1\GoToAssistDownloadHelper.exe
c:\windows\abihixow.dll
c:\windows\system32\_004840_.tmp.dll
c:\windows\system32\_004841_.tmp.dll
c:\windows\system32\_004842_.tmp.dll
c:\windows\system32\_004843_.tmp.dll
c:\windows\system32\_004850_.tmp.dll
c:\windows\system32\_004851_.tmp.dll
c:\windows\system32\_004852_.tmp.dll
c:\windows\system32\_004853_.tmp.dll
c:\windows\system32\_004854_.tmp.dll
c:\windows\system32\_004855_.tmp.dll
c:\windows\system32\_004856_.tmp.dll
c:\windows\system32\_004857_.tmp.dll
c:\windows\system32\_004858_.tmp.dll
c:\windows\system32\_004859_.tmp.dll
c:\windows\system32\_004860_.tmp.dll
c:\windows\system32\_004861_.tmp.dll
c:\windows\system32\_004862_.tmp.dll
c:\windows\system32\_004863_.tmp.dll
c:\windows\system32\_004864_.tmp.dll
c:\windows\system32\_004866_.tmp.dll
c:\windows\system32\_004868_.tmp.dll
c:\windows\system32\_004869_.tmp.dll
c:\windows\system32\_004870_.tmp.dll
c:\windows\system32\_004874_.tmp.dll
c:\windows\system32\_004875_.tmp.dll
c:\windows\system32\_004877_.tmp.dll
c:\windows\system32\_004878_.tmp.dll
c:\windows\system32\_004879_.tmp.dll
c:\windows\system32\_004880_.tmp.dll
c:\windows\system32\_004881_.tmp.dll
c:\windows\system32\_004882_.tmp.dll
c:\windows\system32\_004883_.tmp.dll
c:\windows\system32\_004885_.tmp.dll
c:\windows\system32\_004886_.tmp.dll
c:\windows\system32\_004887_.tmp.dll
c:\windows\system32\_004888_.tmp.dll
c:\windows\system32\_004889_.tmp.dll
c:\windows\system32\_004890_.tmp.dll
c:\windows\system32\_004891_.tmp.dll
c:\windows\system32\_004892_.tmp.dll
c:\windows\system32\_004893_.tmp.dll
c:\windows\system32\_004896_.tmp.dll
c:\windows\system32\_004897_.tmp.dll
c:\windows\system32\_004898_.tmp.dll
c:\windows\system32\_004900_.tmp.dll
c:\windows\system32\_004901_.tmp.dll
c:\windows\system32\_004902_.tmp.dll
c:\windows\system32\_004903_.tmp.dll
c:\windows\system32\_004904_.tmp.dll
c:\windows\system32\_004906_.tmp.dll
c:\windows\system32\_004908_.tmp.dll
c:\windows\system32\_004909_.tmp.dll
c:\windows\system32\_004910_.tmp.dll
c:\windows\system32\_004914_.tmp.dll
c:\windows\system32\_004915_.tmp.dll
c:\windows\system32\_004917_.tmp.dll
c:\windows\system32\_004920_.tmp.dll
c:\windows\system32\_004922_.tmp.dll
c:\windows\system32\_004924_.tmp.dll
c:\windows\system32\_004925_.tmp.dll
c:\windows\system32\_004928_.tmp.dll
c:\windows\system32\_004929_.tmp.dll
c:\windows\system32\_004930_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004937_.tmp.dll
c:\windows\system32\_004939_.tmp.dll
c:\windows\system32\_004940_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\DJSvDcdd.ini
c:\windows\system32\Ilmmonpo.ini
c:\windows\system32\skinboxer43.dll
c:\windows\system32\xyayGfhk.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\UA000106.DLL

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_USNJSVC
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-20 20:48 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-20 20:48 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-20 20:48 . 2008-04-13 23:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-20 20:48 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-20 20:48 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-20 20:48 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-20 20:48 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-20 20:48 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-20 20:48 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-20 20:48 . 2008-04-13 17:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-10-20 20:48 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-10-20 20:46 . 2001-08-17 13:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-10-20 20:45 . 2004-08-03 21:31 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-10-20 20:44 . 2001-08-17 12:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2010-10-20 20:43 . 2001-08-17 11:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2010-10-20 20:42 . 2001-08-17 11:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-10-20 20:41 . 2001-08-17 21:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-10-20 20:40 . 2001-08-17 21:36 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll
2010-10-20 20:39 . 2001-08-17 11:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-10-20 20:38 . 2001-08-17 12:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2010-10-20 20:37 . 2001-08-17 12:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys
2010-10-20 18:16 . 2010-10-20 18:16 0 ----a-w- c:\windows\Czumim.bin
2010-10-18 20:23 . 2010-10-19 07:59 -------- d-----w- c:\documents and settings\Dad\Tracing
2010-10-18 16:45 . 2010-10-18 16:45 -------- d-----w- c:\documents and settings\Kids.PC1\Tracing
2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Microsoft
2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-10-17 20:45 . 2010-10-17 20:45 -------- d-----w- c:\program files\Common Files\Windows Live
2010-10-13 19:28 . 2010-10-13 19:28 -------- d-----w- c:\documents and settings\Dad\Application Data\Thunderbird
2010-10-13 19:25 . 2010-10-13 19:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\Adobe Mini Bridge CS5
2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-10 10:51 . 2010-10-10 10:51 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\IObit
2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\Dad\Application Data\WindSolutions
2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-10-06 22:47 . 2010-10-06 22:47 -------- d-----w- c:\program files\TweetDeck
2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\Adobe Mini Bridge CS5
2010-09-30 22:53 . 2008-05-19 12:13 57344 ----a-w- c:\windows\system32\ASTSRV.EXE
2010-09-30 22:53 . 2010-09-30 22:53 -------- d-----w- c:\program files\Alien Skin
2010-09-30 22:28 . 2010-09-30 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Common Files\Topaz Labs
2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Topaz Labs
2010-09-30 18:32 . 2010-09-30 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-09-30 18:20 . 2010-09-30 18:20 -------- d-----w- c:\program files\Adobe Media Player
2010-09-28 23:14 . 2010-09-28 23:14 -------- d-----w- c:\program files\iPod
2010-09-23 21:41 . 2010-09-23 21:41 -------- d-----w- c:\documents and settings\Dad\Application Data\AMPSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-30 328056]
"iTunesFolderWatch"="c:\program files\JezSoft\iTunesFolderWatch\iTunesFolderWatch.exe" [2010-09-08 157696]
"FeedDemon"="c:\program files\FeedDemon\FeedDemon.exe" [2010-06-10 7201280]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-18 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-2-1 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-4-3 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Dad\Application Data\iolo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Documents To Go Desktop\\DocsToGoDesktop.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Runes of Magic\\Client.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"6881:TCP"= 6881:TCP:Azureus
"7777:UDP"= 7777:UDP:planeshift
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5010:TCP"= 5010:TCP:Iphone
"5010:UDP"= 5010:UDP:iphone2
"5353:UDP"= 5353:UDP:bonjour

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c92be94c0e665a;Google Update Service (gupdate1c92be94c0e665a);c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 133104]
R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-04 691696]
S1 aswSP;aswSP; [x]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-05-19 57344]
S2 aswFsBlk;aswFsBlk; [x]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]
S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-10-29 372384]
S3 GMFilter Filter;GMFilter Filter;c:\windows\system32\Drivers\GMFilter.sys [2005-06-10 25088]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\20091118_010900_Dad3.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2007-06-29 19:16]

2010-10-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-PC1-Kids.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-09-30 02:44]

2010-10-21 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-05-23 13:11]

2010-10-21 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-07-04 10:08]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\
FF - prefs.js: browser.startup.homepage - hxxp://s6-eu.startpage.com/do/mypage.pl?prf=b149ef0eb27be03895df6c1b7d0529d3
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.txt=Notepad++_file
.
- - - - ORPHANS REMOVED - - - -

BHO-{86DBE499-3DEA-4252-93B8-D1DBADE25BFC} - (no file)
BHO-{FA2D811E-5447-4E2E-AB70-3364ED0CF6F9} - (no file)
HKCU-Run-OpAgent - OpAgent.exe
HKLM-Run-Qqirem - c:\windows\abihixow.dll
ActiveSetup-{232f4e3f2-bab8-11d0-97b9-00c04f98bcb9} - c:\windows\system32\agsystem2.exe
AddRemove-EAX™ Unified (SHELL) - c:\program files\Creative Labs\EAX™ Unified (SHELL)\Uninst.isu
AddRemove-Network Play System (Patching) - c:\program files\Electronic Arts\Network Play System\NPSPatch.isu
AddRemove-{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA} - c:\documents and settings\Dad\Local Settings\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\setup_blazemp.exe



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3750B08A-6456-EC0A-937B-3A79761E0D83}*]
"hapeoijfkfomahhn"=hex:6d,64,6c,68,68,6b,62,6c,66,6f,61,66,66,66,68,67,61,67,
70,61,62,70,70,62,68,70,65,6e,67,67,63,61,6c,6a,6f,69,6b,6f,64,64,6f,69,69,\
"iadjenfpfjgcfojgne"=hex:6b,61,6b,61,70,64,6e,6e,6e,66,6c,61,6c,6c,64,6a,61,68,
6c,62,66,68,00,6c
"hafgpbkgdpfmcidf"=hex:6b,61,6b,61,6d,64,6b,6f,69,69,63,68,6b,6a,69,6e,68,67,
6e,6a,67,63,00,00

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74274A66-22CF-7507-E36B-140D9A963314}*]
"haacbbhjhbaoammi"=hex:6b,61,65,6d,64,61,65,61,69,70,6b,62,63,6b,66,67,68,66,
63,62,6c,65,00,00

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0d,cd,14,78,f9,80,2c,cc,da,f0,41,96,53,d9,61,2d,ca,a9,43,e1,d0,fd,2b,
97,3d,0d,45,d9,15,e2,72,00,cf,66,53,c8,40,42,f4,3d,f3,ac,b7,41,23,d8,a6,53,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2492)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Last.fm\LastFM.exe
.
**************************************************************************
.
Completion time: 2010-10-21 20:20:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-21 19:20

Pre-Run: 13,219,295,232 bytes free
Post-Run: 13,216,215,040 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - A8F242BF525954DC9C782394B5552A33

#10 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 03:09 PM

How's it running now?
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 03:15 PM

Everything seems to be working fine :)

I got the warnings about abihixow.dll and mswpmt.dll being missing again. Do I need to do anything else?

#12 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 03:32 PM

I'll look at you combofix log and post back
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 03:34 PM

Ok thank you :)

#14 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 03:41 PM

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\abihixow.dll
c:\windows\mswpmt.dll

RegNull::
[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3750B08A-6456-EC0A-937B-3A79761E0D83}*]
[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74274A66-22CF-7507-E36B-140D9A963314}*]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe


Then post the results log using Copy / Paste


Also please describe how your computer behaves at the moment.
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#15 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 04:24 PM

All now seems to be ok, computer booting up and startup programs loading as normal.

Here is the log:


ComboFix 10-10-20.04 - Dad 21/10/2010 21:52:14.3.2 - x86
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\abihixow.dll"
"c:\windows\mswpmt.dll"
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-20 20:48 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-20 20:48 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-20 20:48 . 2008-04-13 23:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-20 20:48 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-20 20:48 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-20 20:48 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-20 20:48 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-20 20:48 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-20 20:48 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-20 20:48 . 2008-04-13 17:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-10-20 20:48 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-10-20 20:46 . 2001-08-17 13:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-10-20 20:45 . 2004-08-03 21:31 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-10-20 20:44 . 2001-08-17 12:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2010-10-20 20:43 . 2001-08-17 11:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys
2010-10-20 20:42 . 2001-08-17 11:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2010-10-20 20:41 . 2001-08-17 21:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-10-20 20:40 . 2001-08-17 21:36 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll
2010-10-20 20:39 . 2001-08-17 11:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys
2010-10-20 20:38 . 2001-08-17 12:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2010-10-20 20:37 . 2001-08-17 12:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys
2010-10-20 18:16 . 2010-10-20 18:16 0 ----a-w- c:\windows\Czumim.bin
2010-10-18 20:23 . 2010-10-19 07:59 -------- d-----w- c:\documents and settings\Dad\Tracing
2010-10-18 16:45 . 2010-10-18 16:45 -------- d-----w- c:\documents and settings\Kids.PC1\Tracing
2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Microsoft
2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-10-17 20:45 . 2010-10-17 20:45 -------- d-----w- c:\program files\Common Files\Windows Live
2010-10-13 19:28 . 2010-10-13 19:28 -------- d-----w- c:\documents and settings\Dad\Application Data\Thunderbird
2010-10-13 19:25 . 2010-10-13 19:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\Adobe Mini Bridge CS5
2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-10 10:51 . 2010-10-10 10:51 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\IObit
2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\Dad\Application Data\WindSolutions
2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2010-10-06 22:47 . 2010-10-06 22:47 -------- d-----w- c:\program files\TweetDeck
2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\Adobe Mini Bridge CS5
2010-09-30 22:53 . 2008-05-19 12:13 57344 ----a-w- c:\windows\system32\ASTSRV.EXE
2010-09-30 22:53 . 2010-09-30 22:53 -------- d-----w- c:\program files\Alien Skin
2010-09-30 22:28 . 2010-09-30 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Common Files\Topaz Labs
2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Topaz Labs
2010-09-30 18:32 . 2010-09-30 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-09-30 18:20 . 2010-09-30 18:20 -------- d-----w- c:\program files\Adobe Media Player
2010-09-28 23:14 . 2010-09-28 23:14 -------- d-----w- c:\program files\iPod
2010-09-23 21:41 . 2010-09-23 21:41 -------- d-----w- c:\documents and settings\Dad\Application Data\AMPSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-30 328056]
"iTunesFolderWatch"="c:\program files\JezSoft\iTunesFolderWatch\iTunesFolderWatch.exe" [2010-09-08 157696]
"FeedDemon"="c:\program files\FeedDemon\FeedDemon.exe" [2010-06-10 7201280]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-18 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dad\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-2-1 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-4-3 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Dad\Application Data\iolo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Documents To Go Desktop\\DocsToGoDesktop.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Runes of Magic\\Client.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"6881:TCP"= 6881:TCP:Azureus
"7777:UDP"= 7777:UDP:planeshift
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5010:TCP"= 5010:TCP:Iphone
"5010:UDP"= 5010:UDP:iphone2
"5353:UDP"= 5353:UDP:bonjour

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/06/2008 20:09 165584]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [30/09/2010 23:53 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/06/2008 20:09 17744]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [24/08/2010 12:02 312152]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [03/01/2008 19:14 25088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate1c92be94c0e665a;Google Update Service (gupdate1c92be94c0e665a);c:\program files\Google\Update\GoogleUpdate.exe [11/10/2008 22:35 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [19/01/2010 22:53 16512]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/03/2007 20:08 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\20091118_010900_Dad3.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2007-06-29 19:16]

2010-10-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-PC1-Kids.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-09-30 02:44]

2010-10-21 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-05-23 13:11]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google AdSense Preview Tool - http://pagead2.googl...en/preview.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\
FF - prefs.js: browser.startup.homepage - hxxp://s6-eu.startpage.com/do/mypage.pl?prf=b149ef0eb27be03895df6c1b7d0529d3
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF7637000]<< >>UNKNOWN [0xF75A8000]<< >>UNKNOWN [0x806FF000]<< >>UNKNOWN [0xF7617000]<< >>UNKNOWN [0xF749A000]<< >>UNKNOWN [0xF7717000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xf764bf28
\Driver\ACPI -> 0xf75aecb8
\Driver\atapi -> 0xf76188b4
IoDeviceObjectType -> DeleteProcedure -> 0x805e710a
ParseProcedure -> 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x805e710a
ParseProcedure -> 0x80578f7a
NDIS: VIA Compatable Fast Ethernet Adapter -> SendCompleteHandler -> 0xf7426bb0
PacketIndicateHandler -> 0xf7433a21
SendHandler -> 0xf741187b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0d,cd,14,78,f9,80,2c,cc,da,f0,41,96,53,d9,61,2d,ca,a9,43,e1,d0,fd,2b,
97,3d,0d,45,d9,15,e2,72,00,cf,66,53,c8,40,42,f4,3d,f3,ac,b7,41,23,d8,a6,53,\
"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4036)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\atwtusb.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-21 22:16:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-21 21:16
ComboFix2.txt 2010-10-21 19:20

Pre-Run: 13,218,349,056 bytes free
Post-Run: 13,146,337,280 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 5F4A036981D77BD2CF3846A8E937398B

#16 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 04:33 PM

Great job Posted Image

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:
  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7
  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.


Log looks good :)


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.


I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 05:10 PM

Thanks for everything, I really appreciate your help :)

#18 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 05:14 PM

Great job Posted Image

You're more than welcome.
Glad we were able to help

Peace be with you Posted Image
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 Hengest

Hengest

    New Member

  • Members
  • Pip
  • 12 posts

Posted 21 October 2010 - 05:21 PM

Thanks, I sent you a little something on Paypal.

Good night.

#20 LDTate

LDTate

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 21,126 posts
  • Gender:Male
  • Location:Missouri, USA

Posted 21 October 2010 - 05:22 PM

THANK YOU VERY MUCH :)
Larry Tate
Product Support

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users