Hengest

No explorer or admin permission after Microsoft Security Essentials Alert

21 posts in this topic

Hello,

I ran Malwarebytes after the fake Microsoft Security Essentials Alert appeared on my PC. I now have no Windows explorer and if I try to load it from task manager I get the message "Windows can not load the specified device, path or file. You may not have the appropriate permissions to access the item".

I can load most other things from task manager.

I have done everything recommended here before posting and I think I have attached all of the correct information. I tried twice to save the GMER log but each time the program crashed so instead I copied the results to a text file.

Thanks in advance.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4895

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

20/10/2010 20:49:40

mbam-log-2010-10-20 (20-49-40).txt

Scan type: Quick scan

Objects scanned: 233892

Time elapsed: 48 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\mswpmt.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tziwofoseqov (Trojan.Hiloti) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\mswpmt.dll (Trojan.Hiloti) -> Delete on reboot.

C:\Documents and Settings\Dad\Local Settings\Temp\jtxqvaa.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\7F7G50FQ\cfjeyt[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\7F7G50FQ\aaick[1].htm (Rogue.FakeMSE) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\H2NVEZHG\aaick[2].htm (Rogue.FakeMSE) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\S1MX5BFE\cfjeyt[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dad\Templates\memory.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

DDS (Ver_10-10-10.03) - NTFSx86

Run by Dad at 23:26:32.67 on 20/10/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1392 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\System32\svchost -k DComLaunch

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\atwtusb.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\system32\atwtusb.exe

C:\Program Files\IObit\Advanced SystemCare 3\AutoSweep.exe

svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Dad\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Page =

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mWinlogon: UIHost=c:\windows\system32\logonui.exe

BHO: Network Magic Browser Helper: {07d7f044-2f5f-41b2-baa5-936814af0163} - c:\program files\pure networks\network magic\nmbrhlp2.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

{86dbe499-3dea-4252-93b8-d1dbade25bfc}

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {AE40EBA0-2D49-48C9-BA8D-E9F046240F5F} - No File

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

{fa2d811e-5447-4e2e-ab70-3364ed0cf6f9}

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

uRun: [nmctxth] c:\program files\common files\pure networks shared\platform\nmctxth.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"

uRun: [iTunesFolderWatch] c:\program files\jezsoft\itunesfolderwatch\iTunesFolderWatch.exe

uRun: [FeedDemon] "c:\program files\feeddemon\FeedDemon.exe" /startminimized

uRun: [OpAgent] "OpAgent.exe" /agent

uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"

uRun: [Tziwofoseqov] rundll32.exe "c:\windows\mswpmt.dll",Startup

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Qqirem] rundll32.exe "c:\windows\abihixow.dll",Startup

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\dad\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe

IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Append to existing PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Create PDF file - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF file from the content of the link - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF files from the selected links - c:\program files\nuance\pdf create 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: Free YouTube Download - c:\documents and settings\dad\application data\dvdvideosoftiehelpers\youtubedownload.htm

IE: Free YouTube to Mp3 Converter - c:\documents and settings\dad\application data\dvdvideosoftiehelpers\youtubetomp3.htm

IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll,c:\progra~1\bandoo\bndhook.dll c:\progra~1\bandoo\bndhook.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\opnkiiFx

LSA: Notification Packages = :\windows\system32\srr

mASetup: {232f4e3f2-bab8-11d0-97b9-00c04f98bcb9} - c:\windows\system32\agsystem2.exe -p WinUpdate.exe -p agsystem2.exe -p msrtspr1.exe -f agsystem2.exe -f agony.sys -f WinUpdate.exe -k run -tcp 6667 -udp 6667 -r

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dad\applic~1\mozilla\firefox\profiles\62a7z0jd.default\

FF - prefs.js: browser.startup.homepage - hxxp://s6-eu.startpage.com/do/mypage.pl?prf=b149ef0eb27be03895df6c1b7d0529d3

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll

FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll

FF - component: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\dad\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\dad\application data\mozilla\firefox\profiles\62a7z0jd.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\dad\application data\mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll

FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {BCDD5DB7-E22B-437D-9996-EE84C59A2100} - c:\documents and settings\dad\local settings\application data\{bcdd5db7-e22b-437d-9996-ee84c59a2100}\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-2-27 11264]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-6-10 165584]

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2010-9-30 57344]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-10 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-9 40384]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-24 312152]

R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-9 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-9 40384]

R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [2008-1-3 25088]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate1c92be94c0e665a;Google Update Service (gupdate1c92be94c0e665a);c:\program files\google\update\GoogleUpdate.exe [2008-10-11 133104]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]

S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-1-19 16512]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.txt=Notepad++_file

=============== Created Last 30 ================

2010-10-20 20:48:47 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2010-10-20 20:48:47 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2010-10-20 20:48:46 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2010-10-20 20:48:46 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2010-10-20 20:48:45 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2010-10-20 20:48:31 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2010-10-20 20:48:31 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2010-10-20 20:48:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2010-10-20 20:48:25 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2010-10-20 20:48:05 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys

2010-10-20 20:48:00 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys

2010-10-20 20:46:59 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys

2010-10-20 20:45:58 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys

2010-10-20 20:44:58 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys

2010-10-20 20:43:57 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys

2010-10-20 20:42:58 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys

2010-10-20 20:41:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-10-20 20:40:59 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll

2010-10-20 20:39:56 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys

2010-10-20 20:38:59 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2010-10-20 20:37:59 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys

2010-10-20 18:16:34 0 ----a-w- c:\windows\Czumim.bin

2010-10-20 18:16:31 -------- d-----w- c:\docume~1\dad\locals~1\applic~1\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}

2010-10-18 20:23:50 -------- d-----w- c:\documents and settings\dad\Tracing

2010-10-17 20:57:49 -------- d-----w- c:\program files\Microsoft

2010-10-17 20:57:28 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-10-17 20:53:59 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc24F.tmp

2010-10-17 20:45:16 -------- d-----w- c:\program files\common files\Windows Live

2010-10-09 18:07:07 -------- d-----w- c:\docume~1\dad\applic~1\WindSolutions

2010-10-09 18:07:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\WindSolutions

2010-10-06 22:47:22 -------- d-----w- c:\program files\TweetDeck

2010-10-05 21:49:02 -------- d-----w- c:\docume~1\dad\applic~1\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-05 21:49:02 -------- d-----w- c:\docume~1\dad\applic~1\Adobe Mini Bridge CS5

2010-09-30 22:53:18 57344 ----a-w- c:\windows\system32\ASTSRV.EXE

2010-09-30 22:53:15 -------- d-----w- c:\program files\Alien Skin

2010-09-30 22:28:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess

2010-09-30 22:15:35 -------- d-----w- c:\program files\common files\Topaz Labs

2010-09-30 22:15:34 -------- d-----w- c:\program files\Topaz Labs

2010-09-30 18:32:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\regid.1986-12.com.adobe

2010-09-28 23:14:22 -------- d-----w- c:\program files\iPod

2010-09-23 21:41:01 -------- d-----w- c:\docume~1\dad\applic~1\AMPSoft

==================== Find3M ====================

2010-09-19 18:50:03 8892928 ----a-w- c:\docume~1\alluse~1\applic~1\atscie.msi

2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-12 18:29:48 2772992 ----a-w- c:\windows\system32\GPhotos.scr

2010-07-27 17:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-07-27 17:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-23 20:02:41 81408 ----a-w- c:\program files\taskkill.exe

============= FINISH: 23:29:20.42 ===============

Attach.zip

Share this post


Link to post
Share on other sites

:)

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Share this post


Link to post
Share on other sites

Thanks for the response LDTate

2010/10/21 16:34:40.0578 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59

2010/10/21 16:34:40.0578 ================================================================================

2010/10/21 16:34:40.0578 SystemInfo:

2010/10/21 16:34:40.0578

2010/10/21 16:34:40.0578 OS Version: 5.1.2600 ServicePack: 3.0

2010/10/21 16:34:40.0578 Product type: Workstation

2010/10/21 16:34:40.0578 ComputerName: PC1

2010/10/21 16:34:40.0578 UserName: Dad

2010/10/21 16:34:40.0578 Windows directory: C:\WINDOWS

2010/10/21 16:34:40.0578 System windows directory: C:\WINDOWS

2010/10/21 16:34:40.0578 Processor architecture: Intel x86

2010/10/21 16:34:40.0578 Number of processors: 2

2010/10/21 16:34:40.0578 Page size: 0x1000

2010/10/21 16:34:40.0578 Boot type: Normal boot

2010/10/21 16:34:40.0578 ================================================================================

2010/10/21 16:34:40.0859 Initialize success

2010/10/21 16:34:56.0781 ================================================================================

2010/10/21 16:34:56.0781 Scan started

2010/10/21 16:34:56.0781 Mode: Manual;

2010/10/21 16:34:56.0781 ================================================================================

2010/10/21 16:34:57.0500 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/10/21 16:34:57.0671 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/21 16:34:57.0750 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/21 16:34:58.0000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/10/21 16:34:58.0062 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/10/21 16:34:58.0531 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys

2010/10/21 16:34:58.0640 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/10/21 16:34:58.0718 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/10/21 16:34:58.0765 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/10/21 16:34:58.0812 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/10/21 16:34:58.0875 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/10/21 16:34:58.0921 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/21 16:34:59.0000 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/21 16:34:59.0250 ati2mtag (b1ae41cfe277e043837aa2b875adb757) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/10/21 16:34:59.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/21 16:34:59.0515 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/21 16:34:59.0562 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/21 16:34:59.0750 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys

2010/10/21 16:34:59.0796 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys

2010/10/21 16:34:59.0859 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys

2010/10/21 16:34:59.0953 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys

2010/10/21 16:35:00.0031 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys

2010/10/21 16:35:00.0125 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/21 16:35:00.0203 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/10/21 16:35:00.0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/21 16:35:00.0359 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/21 16:35:00.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/21 16:35:00.0890 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys

2010/10/21 16:35:00.0953 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/21 16:35:01.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/21 16:35:01.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/21 16:35:01.0203 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/21 16:35:01.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/21 16:35:01.0406 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/21 16:35:01.0484 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys

2010/10/21 16:35:01.0593 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/21 16:35:01.0718 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/21 16:35:01.0796 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys

2010/10/21 16:35:01.0843 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/21 16:35:01.0953 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/21 16:35:02.0046 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/10/21 16:35:02.0093 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/21 16:35:02.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/21 16:35:02.0218 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/10/21 16:35:02.0281 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/10/21 16:35:02.0375 GMFilter Filter (9b5caa1c5ca37b533e6d5f2467d4eade) C:\WINDOWS\system32\Drivers\GMFilter.sys

2010/10/21 16:35:02.0484 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/21 16:35:02.0562 GT680x (7b90be6811334caa9243b89f3d3fee1a) C:\WINDOWS\system32\Drivers\gt680x.sys

2010/10/21 16:35:02.0906 hardlock (f3e34776d8b8ab665d051a8674fdf4cc) C:\WINDOWS\system32\drivers\hardlock.sys

2010/10/21 16:35:03.0015 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys

2010/10/21 16:35:03.0093 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/10/21 16:35:03.0156 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys

2010/10/21 16:35:03.0234 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/21 16:35:03.0375 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/10/21 16:35:03.0468 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/10/21 16:35:03.0531 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/10/21 16:35:03.0640 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/21 16:35:03.0843 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2010/10/21 16:35:03.0890 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/21 16:35:04.0171 IntcAzAudAddService (a5d5b8c427f4b67580fb2b511291a89d) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/10/21 16:35:04.0421 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/10/21 16:35:04.0500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/10/21 16:35:04.0562 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/21 16:35:04.0734 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/21 16:35:04.0796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/21 16:35:04.0875 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/21 16:35:04.0937 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

2010/10/21 16:35:05.0000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/21 16:35:05.0078 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys

2010/10/21 16:35:05.0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/21 16:35:05.0218 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/21 16:35:05.0250 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/21 16:35:05.0343 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/21 16:35:05.0437 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/21 16:35:05.0562 LVUSBSta (c5efbd05a5195402121711a6ebbb271f) C:\WINDOWS\system32\drivers\lvusbsta.sys

2010/10/21 16:35:05.0750 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys

2010/10/21 16:35:05.0875 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys

2010/10/21 16:35:05.0937 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys

2010/10/21 16:35:06.0015 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/21 16:35:06.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/21 16:35:06.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/21 16:35:06.0218 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/21 16:35:06.0296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/21 16:35:06.0359 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys

2010/10/21 16:35:06.0609 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/21 16:35:06.0718 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/21 16:35:06.0781 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/21 16:35:06.0843 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/21 16:35:06.0906 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/21 16:35:06.0968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/21 16:35:07.0062 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/21 16:35:07.0140 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/10/21 16:35:07.0234 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys

2010/10/21 16:35:07.0281 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/21 16:35:07.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/10/21 16:35:07.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/21 16:35:07.0500 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/10/21 16:35:07.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/21 16:35:07.0671 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/21 16:35:07.0703 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/21 16:35:07.0750 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/21 16:35:07.0796 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/21 16:35:07.0843 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/21 16:35:07.0968 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys

2010/10/21 16:35:08.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/21 16:35:08.0109 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/21 16:35:08.0187 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/21 16:35:08.0265 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/21 16:35:08.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/21 16:35:08.0421 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/21 16:35:08.0484 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/21 16:35:08.0531 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/21 16:35:08.0609 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys

2010/10/21 16:35:08.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/21 16:35:08.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/21 16:35:08.0953 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/21 16:35:09.0359 pnarp (dea06627596015263360097c2608384e) C:\WINDOWS\system32\DRIVERS\pnarp.sys

2010/10/21 16:35:09.0453 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/21 16:35:09.0500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/21 16:35:09.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/21 16:35:09.0609 purendis (c0cdb9f7ce42c3487f0bea409bf5d153) C:\WINDOWS\system32\DRIVERS\purendis.sys

2010/10/21 16:35:09.0765 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/10/21 16:35:09.0890 QCMerced (9a155d31b8e52f41b258282092cc93a7) C:\WINDOWS\system32\DRIVERS\LVCM.sys

2010/10/21 16:35:10.0187 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/21 16:35:10.0250 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2010/10/21 16:35:10.0312 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/21 16:35:10.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/21 16:35:10.0406 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/21 16:35:10.0468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/21 16:35:10.0546 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/21 16:35:10.0765 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/21 16:35:10.0953 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/21 16:35:11.0031 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/21 16:35:11.0125 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys

2010/10/21 16:35:11.0250 s117bus (1f561844318914e7eb6e54673a4cc54c) C:\WINDOWS\system32\DRIVERS\s117bus.sys

2010/10/21 16:35:11.0328 s117mdfl (ba93eec3cdf6a63b77ae66221aa4f902) C:\WINDOWS\system32\DRIVERS\s117mdfl.sys

2010/10/21 16:35:11.0406 s117mdm (cba12fd8a8ee5b5cdfbbae2381cd6703) C:\WINDOWS\system32\DRIVERS\s117mdm.sys

2010/10/21 16:35:11.0484 s117mgmt (bd6483e64b1da17e812b34bcdefd9459) C:\WINDOWS\system32\DRIVERS\s117mgmt.sys

2010/10/21 16:35:11.0562 s117nd5 (c7ca36c3054b4cd47a1f6611b046e2f9) C:\WINDOWS\system32\DRIVERS\s117nd5.sys

2010/10/21 16:35:11.0656 s117obex (e290b3a6b58fb72ca97dd48d64e4fc1c) C:\WINDOWS\system32\DRIVERS\s117obex.sys

2010/10/21 16:35:11.0734 s117unic (5c4d1ba23c7511ac880e8ba7baa80dba) C:\WINDOWS\system32\DRIVERS\s117unic.sys

2010/10/21 16:35:11.0843 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys

2010/10/21 16:35:11.0921 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/21 16:35:12.0000 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/21 16:35:12.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/21 16:35:12.0875 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys

2010/10/21 16:35:13.0203 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys

2010/10/21 16:35:13.0484 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/21 16:35:14.0156 sfsync02 (efebbc1d13fdb77a6af4eddfc7232edf) C:\WINDOWS\system32\drivers\sfsync02.sys

2010/10/21 16:35:14.0296 sfvfs02 (9ef50060cc7e6953bab83f2a42ccc421) C:\WINDOWS\system32\drivers\sfvfs02.sys

2010/10/21 16:35:15.0015 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/10/21 16:35:15.0281 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/21 16:35:15.0359 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\System32\Drivers\sptd.sys

2010/10/21 16:35:15.0421 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/21 16:35:15.0484 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/21 16:35:15.0656 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/10/21 16:35:15.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/21 16:35:15.0828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/21 16:35:16.0078 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/21 16:35:16.0171 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/21 16:35:16.0234 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/21 16:35:16.0328 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/21 16:35:16.0390 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/21 16:35:16.0531 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

2010/10/21 16:35:16.0593 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/21 16:35:16.0796 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/21 16:35:16.0906 USB28xxBGA (68a00f7bd18bc3af2d98a75142e1c74e) C:\WINDOWS\system32\DRIVERS\emBDA.sys

2010/10/21 16:35:17.0015 USB28xxOEM (d52f4fc7788d670a78b2c253717b5330) C:\WINDOWS\system32\DRIVERS\emOEM.sys

2010/10/21 16:35:17.0093 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/10/21 16:35:17.0187 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/10/21 16:35:17.0218 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/21 16:35:17.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/21 16:35:17.0328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/21 16:35:17.0375 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/10/21 16:35:17.0453 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/21 16:35:17.0515 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/21 16:35:17.0593 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/10/21 16:35:17.0718 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/10/21 16:35:17.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/10/21 16:35:17.0828 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/10/21 16:35:17.0906 videX32 (c8ee49fa76eb7c41a9cddfe58151a74e) C:\WINDOWS\system32\DRIVERS\videX32.sys

2010/10/21 16:35:18.0000 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/21 16:35:18.0093 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/21 16:35:18.0187 wceusbsh (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2010/10/21 16:35:18.0265 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/21 16:35:18.0359 WinDriver6 (097a8291df541f9b9af2c500797cdcaa) C:\WINDOWS\system32\drivers\windrvr6.sys

2010/10/21 16:35:18.0515 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/10/21 16:35:18.0609 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/10/21 16:35:18.0703 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/10/21 16:35:18.0812 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/10/21 16:35:18.0875 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/10/21 16:35:18.0984 xfilt (fcbc27869092850cdb75139f3818653a) C:\WINDOWS\system32\DRIVERS\xfilt.sys

2010/10/21 16:35:19.0125 ================================================================================

2010/10/21 16:35:19.0125 Scan finished

2010/10/21 16:35:19.0125 ================================================================================

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Share this post


Link to post
Share on other sites

Ok, well I ran Combofix following the instructions.

After a while the system rebooted and I had regained all of my desktop icons and status bar.

I got 2 warnings about missing dll files (abihixow.dll and mswpmt.dll)

Combofix was still active and said "Preparing Log Report - Do not run any programs until Combofix has finished" and this remained for about 15 minutes after all hard drive activity had stopped so I assumed it was hanging.

The log file was present and is as follows:

ComboFix 10-10-20.04 - Dad 21/10/2010 16:53:05.1.2 - x86

Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Dad\EULA.txt

C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}

C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome.manifest

C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\_cfg.js

C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\overlay.xul

C:\Documents and Settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\install.rdf

C:\Documents and Settings\Kids.PC1\Application Data\alot

C:\Documents and Settings\Kids.PC1\GoToAssistDownloadHelper.exe

C:\WINDOWS\abihixow.dll

C:\WINDOWS\system32\_004840_.tmp.dll

C:\WINDOWS\system32\_004841_.tmp.dll

C:\WINDOWS\system32\_004842_.tmp.dll

C:\WINDOWS\system32\_004843_.tmp.dll

C:\WINDOWS\system32\_004850_.tmp.dll

C:\WINDOWS\system32\_004851_.tmp.dll

C:\WINDOWS\system32\_004852_.tmp.dll

C:\WINDOWS\system32\_004853_.tmp.dll

C:\WINDOWS\system32\_004854_.tmp.dll

C:\WINDOWS\system32\_004855_.tmp.dll

C:\WINDOWS\system32\_004856_.tmp.dll

C:\WINDOWS\system32\_004857_.tmp.dll

C:\WINDOWS\system32\_004858_.tmp.dll

C:\WINDOWS\system32\_004859_.tmp.dll

C:\WINDOWS\system32\_004860_.tmp.dll

C:\WINDOWS\system32\_004861_.tmp.dll

C:\WINDOWS\system32\_004862_.tmp.dll

C:\WINDOWS\system32\_004863_.tmp.dll

C:\WINDOWS\system32\_004864_.tmp.dll

C:\WINDOWS\system32\_004866_.tmp.dll

C:\WINDOWS\system32\_004868_.tmp.dll

C:\WINDOWS\system32\_004869_.tmp.dll

C:\WINDOWS\system32\_004870_.tmp.dll

C:\WINDOWS\system32\_004874_.tmp.dll

C:\WINDOWS\system32\_004875_.tmp.dll

C:\WINDOWS\system32\_004877_.tmp.dll

C:\WINDOWS\system32\_004878_.tmp.dll

C:\WINDOWS\system32\_004879_.tmp.dll

C:\WINDOWS\system32\_004880_.tmp.dll

C:\WINDOWS\system32\_004881_.tmp.dll

C:\WINDOWS\system32\_004882_.tmp.dll

C:\WINDOWS\system32\_004883_.tmp.dll

C:\WINDOWS\system32\_004885_.tmp.dll

C:\WINDOWS\system32\_004886_.tmp.dll

C:\WINDOWS\system32\_004887_.tmp.dll

C:\WINDOWS\system32\_004888_.tmp.dll

C:\WINDOWS\system32\_004889_.tmp.dll

C:\WINDOWS\system32\_004890_.tmp.dll

C:\WINDOWS\system32\_004891_.tmp.dll

C:\WINDOWS\system32\_004892_.tmp.dll

C:\WINDOWS\system32\_004893_.tmp.dll

C:\WINDOWS\system32\_004896_.tmp.dll

C:\WINDOWS\system32\_004897_.tmp.dll

C:\WINDOWS\system32\_004898_.tmp.dll

C:\WINDOWS\system32\_004900_.tmp.dll

C:\WINDOWS\system32\_004901_.tmp.dll

C:\WINDOWS\system32\_004902_.tmp.dll

C:\WINDOWS\system32\_004903_.tmp.dll

C:\WINDOWS\system32\_004904_.tmp.dll

C:\WINDOWS\system32\_004906_.tmp.dll

C:\WINDOWS\system32\_004908_.tmp.dll

C:\WINDOWS\system32\_004909_.tmp.dll

C:\WINDOWS\system32\_004910_.tmp.dll

C:\WINDOWS\system32\_004914_.tmp.dll

C:\WINDOWS\system32\_004915_.tmp.dll

C:\WINDOWS\system32\_004917_.tmp.dll

C:\WINDOWS\system32\_004920_.tmp.dll

C:\WINDOWS\system32\_004922_.tmp.dll

C:\WINDOWS\system32\_004924_.tmp.dll

C:\WINDOWS\system32\_004925_.tmp.dll

C:\WINDOWS\system32\_004928_.tmp.dll

C:\WINDOWS\system32\_004929_.tmp.dll

C:\WINDOWS\system32\_004930_.tmp.dll

C:\WINDOWS\system32\_004931_.tmp.dll

C:\WINDOWS\system32\_004932_.tmp.dll

C:\WINDOWS\system32\_004937_.tmp.dll

C:\WINDOWS\system32\_004939_.tmp.dll

C:\WINDOWS\system32\_004940_.tmp.dll

C:\WINDOWS\system32\AutoRun.inf

C:\WINDOWS\system32\ccrpTmr6.dll

C:\WINDOWS\system32\DJSvDcdd.ini

C:\WINDOWS\system32\Ilmmonpo.ini

C:\WINDOWS\system32\skinboxer43.dll

C:\WINDOWS\system32\xyayGfhk.ini

C:\WINDOWS\Tasks\At1.job

C:\WINDOWS\Tasks\At10.job

C:\WINDOWS\Tasks\At11.job

C:\WINDOWS\Tasks\At12.job

C:\WINDOWS\Tasks\At13.job

C:\WINDOWS\Tasks\At14.job

C:\WINDOWS\Tasks\At15.job

C:\WINDOWS\Tasks\At16.job

C:\WINDOWS\Tasks\At17.job

C:\WINDOWS\Tasks\At18.job

C:\WINDOWS\Tasks\At19.job

C:\WINDOWS\Tasks\At2.job

C:\WINDOWS\Tasks\At20.job

C:\WINDOWS\Tasks\At21.job

C:\WINDOWS\Tasks\At22.job

C:\WINDOWS\Tasks\At23.job

C:\WINDOWS\Tasks\At24.job

C:\WINDOWS\Tasks\At3.job

C:\WINDOWS\Tasks\At4.job

C:\WINDOWS\Tasks\At5.job

C:\WINDOWS\Tasks\At6.job

C:\WINDOWS\Tasks\At7.job

C:\WINDOWS\Tasks\At8.job

C:\WINDOWS\Tasks\At9.job

C:\WINDOWS\UA000106.DLL

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_USNJSVC

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))

.

2010-10-20 20:44:58 . 2001-08-17 12:52:18 49024 -c--a-w- C:\WINDOWS\system32\dllcache\ql1280.sys

2010-10-20 20:43:57 . 2001-08-17 11:11:36 65278 -c--a-w- C:\WINDOWS\system32\dllcache\netflx3.sys

2010-10-20 20:42:58 . 2001-08-17 11:12:26 164586 -c--a-w- C:\WINDOWS\system32\dllcache\mdgndis5.sys

2010-10-20 20:41:36 . 2001-08-17 21:36:16 372824 -c--a-w- C:\WINDOWS\system32\dllcache\iconf32.dll

2010-10-20 20:40:59 . 2001-08-17 21:36:16 32768 -c--a-w- C:\WINDOWS\system32\dllcache\hpgtmcro.dll

2010-10-20 20:39:56 . 2001-08-17 11:20:18 334208 -c--a-w- C:\WINDOWS\system32\dllcache\ds1wdm.sys

2010-10-20 20:38:59 . 2001-08-17 12:52:06 7680 -c--a-w- C:\WINDOWS\system32\dllcache\cd20xrnt.sys

2010-10-20 20:37:59 . 2001-08-17 12:52:04 22400 -c--a-w- C:\WINDOWS\system32\dllcache\asc3350p.sys

2010-10-20 18:16:34 . 2010-10-20 18:16:34 0 ----a-w- C:\WINDOWS\Czumim.bin

2010-10-18 20:23:50 . 2010-10-19 07:59:29 -------- d-----w- C:\Documents and Settings\Dad\Tracing

2010-10-18 16:45:44 . 2010-10-18 16:45:47 -------- d-----w- C:\Documents and Settings\Kids.PC1\Tracing

2010-10-17 20:57:49 . 2010-10-17 20:57:49 -------- d-----w- C:\Program Files\Microsoft

2010-10-17 20:57:28 . 2010-10-17 20:57:28 -------- d-----w- C:\Program Files\Windows Live SkyDrive

2010-10-17 20:45:16 . 2010-10-17 20:45:16 -------- d-----w- C:\Program Files\Common Files\Windows Live

2010-10-13 19:28:17 . 2010-10-13 19:28:19 -------- d-----w- C:\Documents and Settings\Dad\Application Data\Thunderbird

2010-10-13 19:25:34 . 2010-10-13 19:25:40 -------- d-----w- C:\Program Files\Mozilla Thunderbird

2010-10-11 16:55:48 . 2010-10-11 16:55:48 -------- d-----w- C:\Documents and Settings\Kids.PC1\Application Data\Adobe Mini Bridge CS5

2010-10-11 16:55:47 . 2010-10-11 16:55:47 -------- d-----w- C:\Documents and Settings\Kids.PC1\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-10 10:51:21 . 2010-10-10 10:51:21 -------- d-----w- C:\Documents and Settings\Kids.PC1\Application Data\IObit

2010-10-09 18:07:07 . 2010-10-09 18:15:08 -------- d-----w- C:\Documents and Settings\Dad\Application Data\WindSolutions

2010-10-09 18:07:07 . 2010-10-09 18:15:01 -------- d-----w- C:\Documents and Settings\All Users\Application Data\WindSolutions

2010-10-06 22:47:22 . 2010-10-06 22:47:23 -------- d-----w- C:\Program Files\TweetDeck

2010-10-05 21:49:02 . 2010-10-05 21:49:02 -------- d-----w- C:\Documents and Settings\Dad\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-05 21:49:02 . 2010-10-05 21:49:02 -------- d-----w- C:\Documents and Settings\Dad\Application Data\Adobe Mini Bridge CS5

2010-09-30 22:53:18 . 2008-05-19 12:13:20 57344 ----a-w- C:\WINDOWS\system32\ASTSRV.EXE

2010-09-30 22:53:15 . 2010-09-30 22:53:18 -------- d-----w- C:\Program Files\Alien Skin

2010-09-30 22:28:18 . 2010-09-30 22:28:18 -------- d-----w- C:\Documents and Settings\All Users\Application Data\boost_interprocess

2010-09-30 22:15:35 . 2010-09-30 22:15:39 -------- d-----w- C:\Program Files\Common Files\Topaz Labs

2010-09-30 22:15:34 . 2010-09-30 22:15:34 -------- d-----w- C:\Program Files\Topaz Labs

2010-09-30 18:32:01 . 2010-09-30 18:40:22 -------- d-----w- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe

2010-09-30 18:20:31 . 2010-09-30 18:20:31 -------- d-----w- C:\Program Files\Adobe Media Player

2010-09-28 23:14:22 . 2010-09-28 23:14:22 -------- d-----w- C:\Program Files\iPod

2010-09-23 21:41:01 . 2010-09-23 21:41:01 -------- d-----w- C:\Documents and Settings\Dad\Application Data\AMPSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

Share this post


Link to post
Share on other sites

That's not the complete log.

Try coping it again.

Share this post


Link to post
Share on other sites

That is all there is. The Combofix window is still open and saying the same thing so it has definitely crashed. Should I run it again?

Share this post


Link to post
Share on other sites
That is all there is. The Combofix window is still open and saying the same thing so it has definitely crashed. Should I run it again?
Yes, run a new scan

Share this post


Link to post
Share on other sites

It worked this time....

ComboFix 10-10-20.04 - Dad 21/10/2010 19:46:39.2.2 - x86

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\Dad\EULA.txt

c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome.manifest

c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\_cfg.js

c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\chrome\content\overlay.xul

c:\documents and settings\Dad\Local Settings\Application Data\{BCDD5DB7-E22B-437D-9996-EE84C59A2100}\install.rdf

c:\documents and settings\Kids.PC1\GoToAssistDownloadHelper.exe

c:\windows\abihixow.dll

c:\windows\system32\_004840_.tmp.dll

c:\windows\system32\_004841_.tmp.dll

c:\windows\system32\_004842_.tmp.dll

c:\windows\system32\_004843_.tmp.dll

c:\windows\system32\_004850_.tmp.dll

c:\windows\system32\_004851_.tmp.dll

c:\windows\system32\_004852_.tmp.dll

c:\windows\system32\_004853_.tmp.dll

c:\windows\system32\_004854_.tmp.dll

c:\windows\system32\_004855_.tmp.dll

c:\windows\system32\_004856_.tmp.dll

c:\windows\system32\_004857_.tmp.dll

c:\windows\system32\_004858_.tmp.dll

c:\windows\system32\_004859_.tmp.dll

c:\windows\system32\_004860_.tmp.dll

c:\windows\system32\_004861_.tmp.dll

c:\windows\system32\_004862_.tmp.dll

c:\windows\system32\_004863_.tmp.dll

c:\windows\system32\_004864_.tmp.dll

c:\windows\system32\_004866_.tmp.dll

c:\windows\system32\_004868_.tmp.dll

c:\windows\system32\_004869_.tmp.dll

c:\windows\system32\_004870_.tmp.dll

c:\windows\system32\_004874_.tmp.dll

c:\windows\system32\_004875_.tmp.dll

c:\windows\system32\_004877_.tmp.dll

c:\windows\system32\_004878_.tmp.dll

c:\windows\system32\_004879_.tmp.dll

c:\windows\system32\_004880_.tmp.dll

c:\windows\system32\_004881_.tmp.dll

c:\windows\system32\_004882_.tmp.dll

c:\windows\system32\_004883_.tmp.dll

c:\windows\system32\_004885_.tmp.dll

c:\windows\system32\_004886_.tmp.dll

c:\windows\system32\_004887_.tmp.dll

c:\windows\system32\_004888_.tmp.dll

c:\windows\system32\_004889_.tmp.dll

c:\windows\system32\_004890_.tmp.dll

c:\windows\system32\_004891_.tmp.dll

c:\windows\system32\_004892_.tmp.dll

c:\windows\system32\_004893_.tmp.dll

c:\windows\system32\_004896_.tmp.dll

c:\windows\system32\_004897_.tmp.dll

c:\windows\system32\_004898_.tmp.dll

c:\windows\system32\_004900_.tmp.dll

c:\windows\system32\_004901_.tmp.dll

c:\windows\system32\_004902_.tmp.dll

c:\windows\system32\_004903_.tmp.dll

c:\windows\system32\_004904_.tmp.dll

c:\windows\system32\_004906_.tmp.dll

c:\windows\system32\_004908_.tmp.dll

c:\windows\system32\_004909_.tmp.dll

c:\windows\system32\_004910_.tmp.dll

c:\windows\system32\_004914_.tmp.dll

c:\windows\system32\_004915_.tmp.dll

c:\windows\system32\_004917_.tmp.dll

c:\windows\system32\_004920_.tmp.dll

c:\windows\system32\_004922_.tmp.dll

c:\windows\system32\_004924_.tmp.dll

c:\windows\system32\_004925_.tmp.dll

c:\windows\system32\_004928_.tmp.dll

c:\windows\system32\_004929_.tmp.dll

c:\windows\system32\_004930_.tmp.dll

c:\windows\system32\_004931_.tmp.dll

c:\windows\system32\_004932_.tmp.dll

c:\windows\system32\_004937_.tmp.dll

c:\windows\system32\_004939_.tmp.dll

c:\windows\system32\_004940_.tmp.dll

c:\windows\system32\AutoRun.inf

c:\windows\system32\ccrpTmr6.dll

c:\windows\system32\DJSvDcdd.ini

c:\windows\system32\Ilmmonpo.ini

c:\windows\system32\skinboxer43.dll

c:\windows\system32\xyayGfhk.ini

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\UA000106.DLL

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_USNJSVC

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))

.

2010-10-20 20:48 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2010-10-20 20:48 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2010-10-20 20:48 . 2008-04-13 23:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2010-10-20 20:48 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2010-10-20 20:48 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2010-10-20 20:48 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2010-10-20 20:48 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2010-10-20 20:48 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2010-10-20 20:48 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2010-10-20 20:48 . 2008-04-13 17:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys

2010-10-20 20:48 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys

2010-10-20 20:46 . 2001-08-17 13:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys

2010-10-20 20:45 . 2004-08-03 21:31 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys

2010-10-20 20:44 . 2001-08-17 12:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys

2010-10-20 20:43 . 2001-08-17 11:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys

2010-10-20 20:42 . 2001-08-17 11:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys

2010-10-20 20:41 . 2001-08-17 21:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-10-20 20:40 . 2001-08-17 21:36 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll

2010-10-20 20:39 . 2001-08-17 11:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys

2010-10-20 20:38 . 2001-08-17 12:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2010-10-20 20:37 . 2001-08-17 12:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys

2010-10-20 18:16 . 2010-10-20 18:16 0 ----a-w- c:\windows\Czumim.bin

2010-10-18 20:23 . 2010-10-19 07:59 -------- d-----w- c:\documents and settings\Dad\Tracing

2010-10-18 16:45 . 2010-10-18 16:45 -------- d-----w- c:\documents and settings\Kids.PC1\Tracing

2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Microsoft

2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-10-17 20:45 . 2010-10-17 20:45 -------- d-----w- c:\program files\Common Files\Windows Live

2010-10-13 19:28 . 2010-10-13 19:28 -------- d-----w- c:\documents and settings\Dad\Application Data\Thunderbird

2010-10-13 19:25 . 2010-10-13 19:25 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\Adobe Mini Bridge CS5

2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-10 10:51 . 2010-10-10 10:51 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\IObit

2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\Dad\Application Data\WindSolutions

2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions

2010-10-06 22:47 . 2010-10-06 22:47 -------- d-----w- c:\program files\TweetDeck

2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\Adobe Mini Bridge CS5

2010-09-30 22:53 . 2008-05-19 12:13 57344 ----a-w- c:\windows\system32\ASTSRV.EXE

2010-09-30 22:53 . 2010-09-30 22:53 -------- d-----w- c:\program files\Alien Skin

2010-09-30 22:28 . 2010-09-30 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess

2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Common Files\Topaz Labs

2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Topaz Labs

2010-09-30 18:32 . 2010-09-30 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe

2010-09-30 18:20 . 2010-09-30 18:20 -------- d-----w- c:\program files\Adobe Media Player

2010-09-28 23:14 . 2010-09-28 23:14 -------- d-----w- c:\program files\iPod

2010-09-23 21:41 . 2010-09-23 21:41 -------- d-----w- c:\documents and settings\Dad\Application Data\AMPSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-30 328056]

"iTunesFolderWatch"="c:\program files\JezSoft\iTunesFolderWatch\iTunesFolderWatch.exe" [2010-09-08 157696]

"FeedDemon"="c:\program files\FeedDemon\FeedDemon.exe" [2010-06-10 7201280]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-18 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dad\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-2-1 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-4-3 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Dad\Application Data\iolo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Documents To Go Desktop\\DocsToGoDesktop.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Runes of Magic\\Client.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

"6881:TCP"= 6881:TCP:Azureus

"7777:UDP"= 7777:UDP:planeshift

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5010:TCP"= 5010:TCP:Iphone

"5010:UDP"= 5010:UDP:iphone2

"5353:UDP"= 5353:UDP:bonjour

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate1c92be94c0e665a;Google Update Service (gupdate1c92be94c0e665a);c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 133104]

R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]

R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]

R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-04 691696]

S1 aswSP;aswSP; [x]

S2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-05-19 57344]

S2 aswFsBlk;aswFsBlk; [x]

S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2010-06-11 312152]

S2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-10-29 372384]

S3 GMFilter Filter;GMFilter Filter;c:\windows\system32\Drivers\GMFilter.sys [2005-06-10 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\20091118_010900_Dad3.job

- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2007-06-29 19:16]

2010-10-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-PC1-Kids.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-09-30 02:44]

2010-10-21 c:\windows\Tasks\AWC AutoSweep.job

- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-05-23 13:11]

2010-10-21 c:\windows\Tasks\AWC Update.job

- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-07-04 10:08]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Append to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Create PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Free YouTube Download - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm

IE: Free YouTube to Mp3 Converter - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll

FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\

FF - prefs.js: browser.startup.homepage - hxxp://s6-eu.startpage.com/do/mypage.pl?prf=b149ef0eb27be03895df6c1b7d0529d3

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.txt=Notepad++_file

.

- - - - ORPHANS REMOVED - - - -

BHO-{86DBE499-3DEA-4252-93B8-D1DBADE25BFC} - (no file)

BHO-{FA2D811E-5447-4E2E-AB70-3364ED0CF6F9} - (no file)

HKCU-Run-OpAgent - OpAgent.exe

HKLM-Run-Qqirem - c:\windows\abihixow.dll

ActiveSetup-{232f4e3f2-bab8-11d0-97b9-00c04f98bcb9} - c:\windows\system32\agsystem2.exe

AddRemove-EAX Unified (SHELL) - c:\program files\Creative Labs\EAX Unified (SHELL)\Uninst.isu

AddRemove-Network Play System (Patching) - c:\program files\Electronic Arts\Network Play System\NPSPatch.isu

AddRemove-{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA} - c:\documents and settings\Dad\Local Settings\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}\setup_blazemp.exe

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3750B08A-6456-EC0A-937B-3A79761E0D83}*]

"hapeoijfkfomahhn"=hex:6d,64,6c,68,68,6b,62,6c,66,6f,61,66,66,66,68,67,61,67,

70,61,62,70,70,62,68,70,65,6e,67,67,63,61,6c,6a,6f,69,6b,6f,64,64,6f,69,69,\

"iadjenfpfjgcfojgne"=hex:6b,61,6b,61,70,64,6e,6e,6e,66,6c,61,6c,6c,64,6a,61,68,

6c,62,66,68,00,6c

"hafgpbkgdpfmcidf"=hex:6b,61,6b,61,6d,64,6b,6f,69,69,63,68,6b,6a,69,6e,68,67,

6e,6a,67,63,00,00

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74274A66-22CF-7507-E36B-140D9A963314}*]

"haacbbhjhbaoammi"=hex:6b,61,65,6d,64,61,65,61,69,70,6b,62,63,6b,66,67,68,66,

63,62,6c,65,00,00

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:0d,cd,14,78,f9,80,2c,cc,da,f0,41,96,53,d9,61,2d,ca,a9,43,e1,d0,fd,2b,

97,3d,0d,45,d9,15,e2,72,00,cf,66,53,c8,40,42,f4,3d,f3,ac,b7,41,23,d8,a6,53,\

"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2492)

c:\windows\system32\WININET.dll

c:\program files\Windows Media Player\wmpband.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\program files\Stardock\Fences\FencesMenu.dll

c:\program files\stardock\fences\DesktopDock.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\Skype\Phone\Skype.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Last.fm\LastFM.exe

.

**************************************************************************

.

Completion time: 2010-10-21 20:20:15 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-21 19:20

Pre-Run: 13,219,295,232 bytes free

Post-Run: 13,216,215,040 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - A8F242BF525954DC9C782394B5552A33

Share this post


Link to post
Share on other sites

Everything seems to be working fine :)

I got the warnings about abihixow.dll and mswpmt.dll being missing again. Do I need to do anything else?

Share this post


Link to post
Share on other sites

I'll look at you combofix log and post back

Share this post


Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\abihixow.dll
c:\windows\mswpmt.dll

RegNull::
[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3750B08A-6456-EC0A-937B-3A79761E0D83}*]
[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74274A66-22CF-7507-E36B-140D9A963314}*]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Share this post


Link to post
Share on other sites

All now seems to be ok, computer booting up and startup programs loading as normal.

Here is the log:

ComboFix 10-10-20.04 - Dad 21/10/2010 21:52:14.3.2 - x86

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\windows\abihixow.dll"

"c:\windows\mswpmt.dll"

.

ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))

.

2010-10-20 20:48 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2010-10-20 20:48 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2010-10-20 20:48 . 2008-04-13 23:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2010-10-20 20:48 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2010-10-20 20:48 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2010-10-20 20:48 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2010-10-20 20:48 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2010-10-20 20:48 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2010-10-20 20:48 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2010-10-20 20:48 . 2008-04-13 17:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys

2010-10-20 20:48 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys

2010-10-20 20:46 . 2001-08-17 13:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys

2010-10-20 20:45 . 2004-08-03 21:31 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys

2010-10-20 20:44 . 2001-08-17 12:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys

2010-10-20 20:43 . 2001-08-17 11:11 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys

2010-10-20 20:42 . 2001-08-17 11:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys

2010-10-20 20:41 . 2001-08-17 21:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-10-20 20:40 . 2001-08-17 21:36 32768 -c--a-w- c:\windows\system32\dllcache\hpgtmcro.dll

2010-10-20 20:39 . 2001-08-17 11:20 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys

2010-10-20 20:38 . 2001-08-17 12:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2010-10-20 20:37 . 2001-08-17 12:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys

2010-10-20 18:16 . 2010-10-20 18:16 0 ----a-w- c:\windows\Czumim.bin

2010-10-18 20:23 . 2010-10-19 07:59 -------- d-----w- c:\documents and settings\Dad\Tracing

2010-10-18 16:45 . 2010-10-18 16:45 -------- d-----w- c:\documents and settings\Kids.PC1\Tracing

2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Microsoft

2010-10-17 20:57 . 2010-10-17 20:57 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-10-17 20:45 . 2010-10-17 20:45 -------- d-----w- c:\program files\Common Files\Windows Live

2010-10-13 19:28 . 2010-10-13 19:28 -------- d-----w- c:\documents and settings\Dad\Application Data\Thunderbird

2010-10-13 19:25 . 2010-10-13 19:25 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\Adobe Mini Bridge CS5

2010-10-11 16:55 . 2010-10-11 16:55 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-10 10:51 . 2010-10-10 10:51 -------- d-----w- c:\documents and settings\Kids.PC1\Application Data\IObit

2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\Dad\Application Data\WindSolutions

2010-10-09 18:07 . 2010-10-09 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions

2010-10-06 22:47 . 2010-10-06 22:47 -------- d-----w- c:\program files\TweetDeck

2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1

2010-10-05 21:49 . 2010-10-05 21:49 -------- d-----w- c:\documents and settings\Dad\Application Data\Adobe Mini Bridge CS5

2010-09-30 22:53 . 2008-05-19 12:13 57344 ----a-w- c:\windows\system32\ASTSRV.EXE

2010-09-30 22:53 . 2010-09-30 22:53 -------- d-----w- c:\program files\Alien Skin

2010-09-30 22:28 . 2010-09-30 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess

2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Common Files\Topaz Labs

2010-09-30 22:15 . 2010-09-30 22:15 -------- d-----w- c:\program files\Topaz Labs

2010-09-30 18:32 . 2010-09-30 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe

2010-09-30 18:20 . 2010-09-30 18:20 -------- d-----w- c:\program files\Adobe Media Player

2010-09-28 23:14 . 2010-09-28 23:14 -------- d-----w- c:\program files\iPod

2010-09-23 21:41 . 2010-09-23 21:41 -------- d-----w- c:\documents and settings\Dad\Application Data\AMPSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-30 328056]

"iTunesFolderWatch"="c:\program files\JezSoft\iTunesFolderWatch\iTunesFolderWatch.exe" [2010-09-08 157696]

"FeedDemon"="c:\program files\FeedDemon\FeedDemon.exe" [2010-06-10 7201280]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-09-18 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]

"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dad\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-2-1 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2010-4-3 303104]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Dad\Application Data\iolo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftpgui.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Documents To Go Desktop\\DocsToGoDesktop.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Runes of Magic\\Client.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

"6881:TCP"= 6881:TCP:Azureus

"7777:UDP"= 7777:UDP:planeshift

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5010:TCP"= 5010:TCP:Iphone

"5010:UDP"= 5010:UDP:iphone2

"5353:UDP"= 5353:UDP:bonjour

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/06/2008 20:09 165584]

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [30/09/2010 23:53 57344]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/06/2008 20:09 17744]

R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [24/08/2010 12:02 312152]

R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]

R3 GMFilter Filter;GMFilter Filter;c:\windows\system32\drivers\GMFilter.sys [03/01/2008 19:14 25088]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 gupdate1c92be94c0e665a;Google Update Service (gupdate1c92be94c0e665a);c:\program files\Google\Update\GoogleUpdate.exe [11/10/2008 22:35 133104]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [19/01/2010 22:53 16512]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03/03/2007 20:08 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\20091118_010900_Dad3.job

- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2007-06-29 19:16]

2010-10-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-PC1-Kids.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-09-30 02:44]

2010-10-21 c:\windows\Tasks\AWC AutoSweep.job

- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-05-23 13:11]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-11 21:35]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1229272821-725345543-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

2010-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1229272821-725345543-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 02:02]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Append to existing PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Create PDF file - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Create 5\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Free YouTube Download - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm

IE: Free YouTube to Mp3 Converter - c:\documents and settings\Dad\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll

FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\

FF - prefs.js: browser.startup.homepage - hxxp://s6-eu.startpage.com/do/mypage.pl?prf=b149ef0eb27be03895df6c1b7d0529d3

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll

FF - component: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\62a7z0jd.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: c:\documents and settings\Dad\Application Data\Mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll

FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\Opera\program\plugins\nprjplug.dll

FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll

FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN [0xF7637000]<< >>UNKNOWN [0xF75A8000]<< >>UNKNOWN [0x806FF000]<< >>UNKNOWN [0xF7617000]<< >>UNKNOWN [0xF749A000]<< >>UNKNOWN [0xF7717000]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> 0xf764bf28

\Driver\ACPI -> 0xf75aecb8

\Driver\atapi -> 0xf76188b4

IoDeviceObjectType -> DeleteProcedure -> 0x805e710a

ParseProcedure -> 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> 0x805e710a

ParseProcedure -> 0x80578f7a

NDIS: VIA Compatable Fast Ethernet Adapter -> SendCompleteHandler -> 0xf7426bb0

PacketIndicateHandler -> 0xf7433a21

SendHandler -> 0xf741187b

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-343818398-1229272821-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:0d,cd,14,78,f9,80,2c,cc,da,f0,41,96,53,d9,61,2d,ca,a9,43,e1,d0,fd,2b,

97,3d,0d,45,d9,15,e2,72,00,cf,66,53,c8,40,42,f4,3d,f3,ac,b7,41,23,d8,a6,53,\

"??"=hex:b5,5e,67,b3,49,08,72,ad,41,a9,3a,9c,e3,bb,58,83

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4036)

c:\windows\system32\WININET.dll

c:\program files\Windows Media Player\wmpband.dll

c:\program files\iTunes\iTunesMiniPlayer.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll

c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll

c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\program files\Stardock\Fences\FencesMenu.dll

c:\program files\stardock\fences\DesktopDock.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\atwtusb.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\Skype\Phone\Skype.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-10-21 22:16:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-21 21:16

ComboFix2.txt 2010-10-21 19:20

Pre-Run: 13,218,349,056 bytes free

Post-Run: 13,146,337,280 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 5F4A036981D77BD2CF3846A8E937398B

Share this post


Link to post
Share on other sites

Great job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :)

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Share this post


Link to post
Share on other sites

Great job thumbup.gif

You're more than welcome.

Glad we were able to help

Peace be with you wavey.gif

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.